NO NAT from ipsec0 to PortA (How can i disable the automatic NAT from ipsec0 to PortA)

Question

We currently have a problem with NAT. 
 We have an IPSEC Connection beteween two XGS. We have no NAT 
 When we send a Paket from Site-A from an Client 192.168.17.7 to 172.17.27.200 the Pakets will be NAT to 172.17.9.210. 
 14:48:34.224568 ipsec0, IN: IP 192.168.17.7 > 172.17.27.200: ICMP echo request, id 1, seq 344, length 40 14:48:34.224658 PortA, OUT: IP 172.17.9.210 > 172.17.27.200: ICMP echo request, id 1, seq 344, length 40 14:48:34.225327 PortA, IN: IP 172.17.27.200 > 172.17.9.210: ICMP echo reply, id 1, seq 344, length 40 Wrong: 
 Client-Site-A (192.168.17.7) -> XGS-Site-A -> IPSEC -> XGS-Site-B -> Out over PortA (NAT to 172.17.9.210) - > ASA (in Source: 172.17.9.210 ) 
 Right: 
 Client-Site-A (192.168.17.7) -> XGS-Site-A -> IPSEC -> XGS-Site-B -> Out over PortA (NO NAT) -> ASA (in Source: 192.168.17.7) Is this an BUG?

LuCar Toni · Answer

Do both firewalls have a base license? Check the licensing status of both firewalls. If a license is deactivated (base license) or not registered, it will do NAT. 
 You can also do NAT with the CLI: support.sophos.com/.../KB-000035607

Vishal_R · Answer

Hi Markus Brunner Thanks for sharing the detailed information and snapshot. I would suggest checking live log viewer logs for "Firewall" during PING time to confirm which Rule ID and NAT ID reflecting there. If no clue from log viewer entry logs then try to check the advance shell connection via the below command to see which Rule ID and NAT ID reflecting there. #conntrack -L -s 192.168.17.7 OR #conntrack -L -d 172.17.27.200 In the conntrack you may confirm fwid= natid= value and NAT ID should be 0 if no matching NAT rule and if any matching NAT rule is getting marked confirmed is it correct NAT rule or not, and if it is correct NAT rule then NAT action must be no NAT in place of MASQ or custom IP within that NAT Rule. Above is the validation part and apart from that you may also create one separate VPN to LAN firewall rule on top with the linked NAT rule ( with no NAT action in that linked NAT rule) and probably that will also fix your problem.

NO NAT from ipsec0 to PortA (How can i disable the automatic NAT from ipsec0 to PortA)

Top Replies

Submitted a Tech Support Case lately from the Support Portal?