Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 379 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NO NAT from ipsec0 to PortA (How can i disable the automatic NAT from ipsec0 to PortA)

Markus Brunner

We currently have a problem with NAT.


We have an IPSEC Connection beteween two XGS.
We have no NAT

When we send a Paket from Site-A from an Client 192.168.17.7 to 172.17.27.200 the Pakets will be NAT to 172.17.9.210.


14:48:34.224568 ipsec0, IN: IP 192.168.17.7 > 172.17.27.200: ICMP echo request, id 1, seq 344, length 40
14:48:34.224658 PortA, OUT: IP 172.17.9.210 > 172.17.27.200: ICMP echo request, id 1, seq 344, length 40
14:48:34.225327 PortA, IN: IP 172.17.27.200 > 172.17.9.210: ICMP echo reply, id 1, seq 344, length 40


Wrong:

Client-Site-A (192.168.17.7) -> XGS-Site-A -> IPSEC -> XGS-Site-B -> Out over PortA (NAT to 172.17.9.210) -> ASA (in Source: 172.17.9.210)

Right:

Client-Site-A (192.168.17.7) -> XGS-Site-A -> IPSEC -> XGS-Site-B -> Out over PortA (NO NAT) -> ASA (in Source: 192.168.17.7)

Is this an BUG?



This thread was automatically locked due to age.
  • 0

    Hi  Thanks for sharing the detailed information and snapshot. I would suggest checking live log viewer logs for "Firewall" during PING time to confirm which Rule ID and NAT ID reflecting there.



    If no clue from log viewer entry logs then try to check the advance shell connection via the below command to see which Rule ID and NAT ID reflecting there.

    #conntrack -L -s 192.168.17.7

    OR

    #conntrack -L -d 172.17.27.200

    In the conntrack you may confirm fwid= natid= value and NAT ID should be 0 if no matching NAT rule and if any matching NAT rule is getting marked confirmed is it correct NAT rule or not, and if it is correct NAT rule then NAT action must be no NAT in place of MASQ or custom IP within that NAT Rule.

    Above is the validation part and apart from that you may also create one separate VPN to LAN firewall rule on top with the linked NAT rule ( with no NAT action in that linked NAT rule) and probably that will also fix your problem.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0

    Do both firewalls have a base license? Check the licensing status of both firewalls. If a license is deactivated (base license) or not registered, it will do NAT. 

    You can also do NAT with the CLI: support.sophos.com/.../KB-000035607

    __________________________________________________________________________________________________________________

  • 0 in reply to Vishal_R

    They Ranpariya, thanks for the fast repsonse.

    SFVUNL_VM01_SFOS 19.0.0 GA-Build317# conntrack -L -s 192.168.17.7
    conntrack v1.4.5 (conntrack-tools): 0 flow entries have been shown.
    SFVUNL_VM01_SFOS 19.0.0 GA-Build317# conntrack -L -d 172.17.27.200
    conntrack v1.4.5 (conntrack-tools): 0 flow entries have been shown.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?