Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 278 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SDWAN/IPsec - Double NAT

Ted Bealmear

I've seen a few topics regarding this but haven't found a solution yet. Quite a few of the remote offices I support are behind someone else's equipment that I have no control over. This or a firewall is behind a terrible-no-good Frontier DSL modem. Either way, it's not a great setup I know.

I've set up an SDWAN via Sophos Central between a test group of firewalls. Firewalls that either have static IPs or actually get an external IP from the ISP's modem via DHCP work perfectly. I can't seem to find the right combination of settings to get those troublesome double-nat'd, I'll call them "client" firewalls, to connect. I've tried setting both ends of the IPsec tunnel to "initiate connection" to having the client firewall set to that while the "main" firewall is set to "respond only." There are a lot of settings on these IPsec connection settings pages, so I just don't know what to fiddle with.

Has anyone else had luck getting something like this working?

Thanks!



This thread was automatically locked due to age.
  • 0

    Hello Ted,

    Thank you for contacting the Sophos Community.

    Is the connection being affected between NATed devices or a NAT device to a STATIC IP or External IP with DHCP? 

    If you don't use SDWAN Orchestration, does the connection works?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    It seems to be working in the wide array of connections we have within our state, but if our firewall is behind someone else's firewall, that is where it falls on its face. Right now, I have a mix of static public WAN firewalls, DHCP public WAN firewalls, and both DHCP/static non-public WAN firewalls (those are the double-nat'd ones) where my firewall's WAN IP is the other entity's internal LAN.

    I haven't tried manually setting up the IPsec site-to-site as a test yet, but I can try that next week.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML