Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Nat to logical host

Lee Wilding

Hi

I need to NAT my LAN traffic to a logical host which is placed inside a site-to-site VPN.

My VPN is established and I can see my NAT rule being hit, however the traffic is not traversing the VPN, its following the default route out of the WAN.

As the host I am natting to is not assigned to an interface, do I need to add a manual route to a VPN interface as I would expect to do on an SRX for example?

Many Thanks



This thread was automatically locked due to age.
  • 0

    Hi Lee and welcome to the UTM Community!

    The routing should be handled automatically if the site-to-site is correctly configured.

    Please show a picture of the Edit of the NAT rule that's not doing what you want.  Also, tell us the target IP and show us the relevant SA (like SA:10.242.1.0/24=68.227.100.4854.209.14.114=52.28.19.239/32) on the 'Site-to-site VPN Tunnel Status' page.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Lee Wilding

    Hi Bob.


    That is the NAT rule which, on a packet capture shows as being hit, as well as the relevant LAN to WAN ACL.

    The VPN is established between the two /32s (the far end and the one I am natting to) and the SA is complete.

    I cannot location a method of looking at the routing table on the device to see the entry that would have been created by bringing up the tunnel, is that possible?

  • 0 in reply to Lee Wilding

    You have an XG (Sophos Firewall), Lee, not a UTM, so I'll move this thread to that community.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    You need a IPsec Route for NAT to work. See: docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Useful thank, and I have added the route.

    At the moment, outbound traffic is hitting my NAT rule and is now being routed over the ipsec interface, however I cannot create a dNAT rule, as the original traffic being received from the far end is to a virtual IP for the VPN only, I am unable to translate this back to the internal subnet as the XG goes not give me to the option to do so, you example doc shows the ability to translate to a single host only.

  • 0 in reply to Lee Wilding

    You should be able to build a DNAT like a normal NAT as well. You need to specify the NAT to match the traffic. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I do not need a dNAT on this occasion. I am allowing access from a subnet. Like this;

    LAN --- NAT to 1.1.1.1 --- VPN to FAR END.  - where 1.1.1.1 is a virtual IP and does not exist on the LAN and is simply for the VPN

    and in return 

    VPN HOST FAR END  ------ VPN ----- XG Host --- Nat back to LAN.

    I think perhaps I need PAT.

  • 0 in reply to Lee Wilding

    This will not work. Because a 1:N NAT will not work. How should the appliance know, which DNAT it should translate to. 

    Stateful firewall will keep the first NAT correct. Means that LAN to 1.1.1.1 will work, traffic back will be translated to the origin system. 

    But if the VPN tries to reach something. like 1.1.1.1, which system should it reach? SNAT (MASQ) cannot work to a N basis. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for your reply.

    All to One nat works fine for internet traffic.

    All I am trying to do is NAT the LAN traffic to a single host to go over a VPN, nothing more.

    I will open a case with Sophos and have them advise on the config required - will share.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?