This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to remove SNAT settings applied to an IPSSEC VPN tunnel

neildonaldson over 3 years ago

I set up an IPSEC tunnel

and was advised to set the SNAT directly on the VPN tunnel

this is quite restrictive as it only supports 1 to 1 mappings

after consulting the forums it turns our, you can get the old style many to one mapping like in UTM

by adding a route in the console then making a FW rule linked SNAT rule

the PROBLEM

the mappings that were made under the IPSEC tunnel SNAT settings persist after being removed

and OVERRIDE anything set otherwise in the FW /NAT settings

how can i remove these? and shouldnt they actually be removed automatically when you turn off SNAT in the tunnel settings ?

thanks

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 3 years ago

Just to be sure, you do not have a expired Base License?

You should maybe restart the tunnel as well, if you removed the NAT in Ipsec.
Cancel
Vote Up 0 Vote Down

Cancel
0 neildonaldson over 3 years ago in reply to LuCar Toni

hello

you cant make any change on sophos ipsec tunnels WITHOUT restarting the tunnel

so yes the tunnel has been restarted several times

anything new i add to my firewall link nat rule works

just not the one server that was mapped in the tunnel config previously

We are fully licensed, using ssg hardware

thanks
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 neildonaldson over 3 years ago in reply to LuCar Toni

hello

you cant make any change on sophos ipsec tunnels WITHOUT restarting the tunnel

so yes the tunnel has been restarted several times

anything new i add to my firewall link nat rule works

just not the one server that was mapped in the tunnel config previously

We are fully licensed, using ssg hardware

thanks
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 3 years ago in reply to neildonaldson

Check the base license, because if this license is expired in certain scenario - the firewall will start to NAT everything.

Otherwise i would recommend, if possible, to recreate the tunnel, if the NAT is still in place. You could check the Packet capture in Webadmin to verify, which NAT rule is applied.

And check, if you have a NAT configured on CLI: console> show advanced-firewall
Cancel
Vote Up 0 Vote Down

Cancel
0 neildonaldson over 3 years ago in reply to LuCar Toni

license is "subscribed"

show advance-firewall is blank

the problem machine is using the correct firewall rule

all traffic should be natted behind 10.60.0.10

this problem machine is still trying to NAT using the 1:n rule

so it is trying to appear as 10.65.0.170 (this is the configuration that was on the ipsec tunnel)

show advanced-firewall is listing nothing
Cancel
Vote Up 0 Vote Down

Cancel
0 neildonaldson over 3 years ago in reply to neildonaldson

it has taken 2 weeks of being on xg to get this far to get the tunnels back to working (almost) as when we had UTM

i dont want to rebuild the tunnels if i can absolutely avoid it

have logged a support ticket i guess will have to wait for them
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to neildonaldson

What is in the packet capture?
Cancel
Vote Up 0 Vote Down

Cancel
0 neildonaldson over 3 years ago in reply to LuCar Toni

not a lot , if just shows 0 and 0 for fw rule and nat id

before the tunnel was reconfigured and the 10.65.x.x network was removed though, we confirmed this behaviour by ssh to the remote server and confirmed it was coming from the ip 10.65.0.170

is there anywhere else a rule table other than advanced-firewall

as this rule was set ON the ipsec tunnel

if i look at this ducment

Sophos Firewall: Route Sophos Firewall-initiated traffic through an IPSec VPN tunnel

that mentions the making of route and the advanced.firewall rule this is different to setting a 1:n policy directly on the tunnel is it not ?
Cancel
Vote Up 0 Vote Down

Cancel