Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 581 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to remove SNAT settings applied to an IPSSEC VPN tunnel

neildonaldson

I set up an IPSEC tunnel

and was advised to set the SNAT directly on the VPN tunnel

this is quite restrictive as it only supports 1 to 1 mappings

after consulting the forums it turns our, you can get the old style many to one mapping like in UTM

by adding a route in the console then making a FW rule linked SNAT rule 

the PROBLEM

the mappings that were made under the  IPSEC tunnel SNAT settings persist after being removed 

and OVERRIDE anything set otherwise in the FW /NAT settings

how can i remove these? and shouldnt they actually be removed automatically when you turn off SNAT in the tunnel settings ?

thanks



This thread was automatically locked due to age.
Parents
  • 0

    Just to be sure, you do not have a expired Base License? 

    You should maybe restart the tunnel as well, if you removed the NAT in Ipsec. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    hello

    you cant make any change on sophos ipsec tunnels WITHOUT restarting the tunnel

    so yes the tunnel has been restarted several times 

    anything new i add to my  firewall link nat rule works

    just not the one server that was mapped in the tunnel config previously 

    We are fully licensed, using ssg hardware

    thanks

  • 0 in reply to neildonaldson

    Check the base license, because if this license is expired in certain scenario - the firewall will start to NAT everything. 

    Otherwise i would recommend, if possible, to recreate the tunnel, if the NAT is still in place. You could check the Packet capture in Webadmin to verify, which NAT rule is applied. 

    And check, if you have a NAT configured on CLI: console> show advanced-firewall 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    license is "subscribed" 

    show advance-firewall is blank

    the  problem machine is using the correct firewall rule  

    all traffic should be natted behind   10.60.0.10 

    this problem machine is still trying to NAT using the 1:n rule 

    so it is trying to appear as   10.65.0.170    (this is the configuration that was on the ipsec tunnel) 

    show advanced-firewall  is listing nothing 

  • 0 in reply to neildonaldson

    it has taken 2 weeks of being on xg to get this far to get the tunnels back to working (almost) as when we had UTM

    i dont want to rebuild the tunnels if i can absolutely avoid it 

    have logged a support ticket i guess will have to wait for them

  • 0 in reply to neildonaldson

    What is in the packet capture? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    not a lot , if just shows   0 and 0  for fw rule and nat id 

    before the tunnel was reconfigured and the 10.65.x.x network was removed though, we confirmed this behaviour by ssh to the remote server and confirmed it was coming from   the ip 10.65.0.170 

    is there anywhere else a rule table other than  advanced-firewall 

    as this rule was set ON the ipsec tunnel 

    if i look at this ducment 

    Sophos Firewall: Route Sophos Firewall-initiated traffic through an IPSec VPN tunnel

    that mentions the making of route and the  advanced.firewall rule  this is different to setting a 1:n policy directly on the tunnel is it not ?

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?