Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 582 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to remove SNAT settings applied to an IPSSEC VPN tunnel

neildonaldson

I set up an IPSEC tunnel

and was advised to set the SNAT directly on the VPN tunnel

this is quite restrictive as it only supports 1 to 1 mappings

after consulting the forums it turns our, you can get the old style many to one mapping like in UTM

by adding a route in the console then making a FW rule linked SNAT rule 

the PROBLEM

the mappings that were made under the  IPSEC tunnel SNAT settings persist after being removed 

and OVERRIDE anything set otherwise in the FW /NAT settings

how can i remove these? and shouldnt they actually be removed automatically when you turn off SNAT in the tunnel settings ?

thanks



This thread was automatically locked due to age.
Parents
  • 0

    Just to be sure, you do not have a expired Base License? 

    You should maybe restart the tunnel as well, if you removed the NAT in Ipsec. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    hello

    you cant make any change on sophos ipsec tunnels WITHOUT restarting the tunnel

    so yes the tunnel has been restarted several times 

    anything new i add to my  firewall link nat rule works

    just not the one server that was mapped in the tunnel config previously 

    We are fully licensed, using ssg hardware

    thanks

  • 0 in reply to neildonaldson

    Check the base license, because if this license is expired in certain scenario - the firewall will start to NAT everything. 

    Otherwise i would recommend, if possible, to recreate the tunnel, if the NAT is still in place. You could check the Packet capture in Webadmin to verify, which NAT rule is applied. 

    And check, if you have a NAT configured on CLI: console> show advanced-firewall 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to neildonaldson

    Check the base license, because if this license is expired in certain scenario - the firewall will start to NAT everything. 

    Otherwise i would recommend, if possible, to recreate the tunnel, if the NAT is still in place. You could check the Packet capture in Webadmin to verify, which NAT rule is applied. 

    And check, if you have a NAT configured on CLI: console> show advanced-firewall 

    __________________________________________________________________________________________________________________

Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?