Hello, I have this situation: Our network: ip 10.10.10.0/24 External parter A: ip 10.20.20.0/24 (managed on another firewall different from Sophos) External Partnet B: ip 10.20.20.0/24 (same ip of partner A). I have a vpn working with B and I'm creating the vpn with Partner A (that will nat his network with a free subnet). - However partner A needs to access also to 1 server in the network of partner B (not the opposite) using our VPN. - Partner A can hide his network in the vpn using a different subnet eg: 10.30.30.0/24 - Partner B cannod NAT his network with us. Now to solve this I thought to reserve 1 ip addresses in our network for doing a d-NAT with a s-NAT for allowing Partner A to reach the server of partner B. I explain: I can create an objet in my firewall named NAT-Part-B and assign to it the (free) ip 10.10.10.200 of my network.. I would like to create a NAT rule telling to my firewall that all the traffic coming from the (natted) network 10.30.30.0 of the Partner A and going towards the ip 10.10.10.200 (NAT-Part-B) should be redirectet on the vpn with Partner B but using as source the same ip of my network 10.10.100.200 So Partner A (10.30.30.x) will send the packet trhought the vpn A to my "natting ip" 10.10.0.200 The firewall should apply the nat and send the packet thought VPN B towards the destination server bus chanign the source using the ip 10.10.10.200 like if the packet were coming from one real server in my network. Then the packet shuld come back from vpn with B, should reach our firewall that knows that packet was sent in origin by the server of partner A (10.30.30.x) so the firewall should get the packet and sent it back to the parter A throught the VPN A using the masquerading ip 10.10.10.200 instead of the real server ip of partner B. Is it possible to realize a similar scenario using the NAT ability of the Sophos or there is some other workaround? Wheat I see now trying this is that on the firewall log there is a violation and I can see as source the ip of partner A (10.30.30.x) and as destination the real ip of the destination server, like if the NAT is working well, but is missing something for telling to sophos to accept the packet and send it trhught vpb B. Thak you for your answers. Kind regards, Gianluigi

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with a Nat between 2 external vpn.

GianM over 3 years ago

Hello, I have this situation:

Our network: ip 10.10.10.0/24

External parter A: ip 10.20.20.0/24 (managed on another firewall different from Sophos)

External Partnet B: ip 10.20.20.0/24 (same ip of partner A).

I have a vpn working with B and I'm creating the vpn with Partner A (that will nat his network with a free subnet).

- However partner A needs to access also to 1 server in the network of partner B (not the opposite) using our VPN.

- Partner A can hide his network in the vpn using a different subnet eg: 10.30.30.0/24

- Partner B cannod NAT his network with us.

Now to solve this I thought to reserve 1 ip addresses in our network for doing a d-NAT with a s-NAT for allowing Partner A to reach the server of partner B.

I explain: I can create an objet in my firewall named NAT-Part-B and assign to it the (free) ip 10.10.10.200 of my network..

I would like to create a NAT rule telling to my firewall that all the traffic coming from the (natted) network 10.30.30.0 of the Partner A and going towards the ip 10.10.10.200 (NAT-Part-B) should be redirectet on the vpn with Partner B but using as source the same ip of my network 10.10.100.200

Partner A (10.30.30.x) will send the packet trhought the vpn A to my "natting ip" 10.10.0.200

The firewall should apply the nat and send the packet thought VPN B towards the destination server bus chanign the source using the ip 10.10.10.200 like if the packet were coming from one real server in my network.

Then the packet shuld come back from vpn with B, should reach our firewall that knows that packet was sent in origin by the server of partner A (10.30.30.x) so the firewall should get the packet and sent it back to the parter A throught the VPN A using the masquerading ip 10.10.10.200 instead of the real server ip of partner B.

Is it possible to realize a similar scenario using the NAT ability of the Sophos or there is some other workaround?

Wheat I see now trying this is that on the firewall log there is a violation and I can see as source the ip of partner A (10.30.30.x) and as destination the real ip of the destination server, like if the NAT is working well, but is missing something for telling to sophos to accept the packet and send it trhught vpb B.

Thak you for your answers.

Kind regards,

Gianluigi

This thread was automatically locked due to age.