Nat to logical host

You need a IPsec Route for NAT to work. See: docs.sophos.com/.../index.html

Useful thank, and I have added the route.

At the moment, outbound traffic is hitting my NAT rule and is now being routed over the ipsec interface, however I cannot create a dNAT rule, as the original traffic being received from the far end is to a virtual IP for the VPN only, I am unable to translate this back to the internal subnet as the XG goes not give me to the option to do so, you example doc shows the ability to translate to a single host only.

You should be able to build a DNAT like a normal NAT as well. You need to specify the NAT to match the traffic. 

I do not need a dNAT on this occasion. I am allowing access from a subnet. Like this;

LAN --- NAT to 1.1.1.1 --- VPN to FAR END.  - where 1.1.1.1 is a virtual IP and does not exist on the LAN and is simply for the VPN

and in return 

VPN HOST FAR END  ------ VPN ----- XG Host --- Nat back to LAN.

I think perhaps I need PAT.

This will not work. Because a 1:N NAT will not work. How should the appliance know, which DNAT it should translate to. 

Stateful firewall will keep the first NAT correct. Means that LAN to 1.1.1.1 will work, traffic back will be translated to the origin system. 

But if the VPN tries to reach something. like 1.1.1.1, which system should it reach? SNAT (MASQ) cannot work to a N basis. 

This will not work. Because a 1:N NAT will not work. How should the appliance know, which DNAT it should translate to. 

Stateful firewall will keep the first NAT correct. Means that LAN to 1.1.1.1 will work, traffic back will be translated to the origin system. 

But if the VPN tries to reach something. like 1.1.1.1, which system should it reach? SNAT (MASQ) cannot work to a N basis. 

Thanks for your reply.

All to One nat works fine for internet traffic.

All I am trying to do is NAT the LAN traffic to a single host to go over a VPN, nothing more.

I will open a case with Sophos and have them advise on the config required - will share.