Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 1214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC TUNNELS AND SNAT RULES

neildonaldson

hi 

with UTM we had site to site tunnels and SNAT rules

on the sophos side i was able to create an snat rule

with severanl networks and hosts from our side and say sned them all down the tunnel behind 1 ip address in the range defined in the tunnel

we have migrated now to XG

all SNAT rules brought over from UTM do not work , our consultant tells us we have to define the SNAT rules directly in the ipsec tunnel set page

however  DNAT rules created in the normal place work fine

the  problem with creating NAT rules in the IPSEC tunnel setting is that 

all you can only do  1:n      full nat   or 1:1  

so following my setup from  UTM where i had 3 networks and 2 hosts in one range , i now find myself having to reconfigure the tunnel with 5 seperate networks or hosts.

first partner i talk to says his baracuda firewall cannot support hosts  ( /32) in the tunnel

is this all correct and this is "the way it is" ?  or am i missing something ?



This thread was automatically locked due to age.
Parents
  • 0

    You can do a SNAT with a Ipsec Route. See: docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    hi Lucar

    thanks for the response,  with a standard policy based vpn tunnel are the rules not created automatically ?

    also i dont need DNAT only SNAT

    thanks

  • 0 in reply to neildonaldson

    Basically its not generated per default. You need to specifically tell the firewall, which destination network is behind this particular tunnel. Then create the NAT. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    hello Lucar 

    quick update thanks for the input

    removed the  NAT rule on the tunnel 

    added the route in the console 

    enabled the linked snat rule on the firewall rule  and things work as before

    however there is a problem 

    the NAT rule on the tunnel that was removed is still applying, 

    even though it should not, and should now follow the rule set via the firewall rule 

    is this some sort of caching issue ?

    for example 

    i had one network  set in the tunnel snat  and  3 networks in the firewall snat plus that 1 thing for a total of 4 networks

    the 3 things in the firewall rule work , but the 4th thing still follows what was set in the ipsec tunnel and that has now been removed

Reply
  • 0 in reply to LuCar Toni

    hello Lucar 

    quick update thanks for the input

    removed the  NAT rule on the tunnel 

    added the route in the console 

    enabled the linked snat rule on the firewall rule  and things work as before

    however there is a problem 

    the NAT rule on the tunnel that was removed is still applying, 

    even though it should not, and should now follow the rule set via the firewall rule 

    is this some sort of caching issue ?

    for example 

    i had one network  set in the tunnel snat  and  3 networks in the firewall snat plus that 1 thing for a total of 4 networks

    the 3 things in the firewall rule work , but the 4th thing still follows what was set in the ipsec tunnel and that has now been removed

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?