Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 350 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site A-B (tunnel interace route based IPSec) Site B-C (policy based IPSec) configure A to C

apijnappels

I have 3 sites (A, B, and C).

Site A: 172.16.16.0/24
Site B: 192.168.1.0/24
Site C: 10.23.1.0/24

Site A and B are both Sophos XG firewalls configured with a route based IPSec tunnel interface between each other
Site C is remote and is outside our management scope. Site B and C are connected with a traditional policy-based IPSec tunnel.

I would like to connect from site A to site C where site B needs to NAT the traffic coming from A going to C.

I have already created a static route in Sophos Site A for 10.23.1.0/24 to be routed to the tunnel interface just the same as the existing route to site B that was already configured.

I tried to configure a NAT rule in site B for traffic coming from 172.16.16.0/24 going to 10.23.1.0/24 to translate the source to an IP-address in the 192.168.1.0 range, but this NAT rule doesn't seem to work as no traffic is using this rule.

How can I achieve this?



This thread was automatically locked due to age.
  • +1

    Hi  Thank you for reaching out to the Sophos community team. Here on Site B policy-based IPSec tunnel is there with SiteC and if this tunnel is not containing the local LAN network of siteA inside the tunnel network setting then the traffic of siteA LAN for siteC destination will not go over VPN.

    In that case, you may update SiteB tunnel to contain SiteA LAN in the local network and vice versa siteC location to add SiteA LAN in their remote LAN in the respective vendor firewall.

    Another way, you may try is adding a manual IPsec route on SiteB for SiteC network destination, so SiteB XG will forward that destination traffic over VPN only (Whether it comes from Site A or Site B itself).

    Console command to add IPsec Route manually:

    Run the command below to add an IPsec route to the host destination.

    console> system ipsec_route add host <IP Address of host> tunnelname <tunnel>


    Currently, I am suspecting as your SiteA traffic on SiteB is not going over VPN for the SiteC network destination, and due to that your configured NAT rule is not coming into the picture. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    Thank you  adding the ipsec_route (to the network of site C so system ipsec_route add net (instead of add host) did the trick.

    For others seeking the same solution this is what I did:

    1) Create a static route in site A for the subnet of site C to go to the tunnelinterface to site B
    2) In Site B create a NAT rule for Traffic from Net A going to Net C change source to IP-address inside Net B
    3) Add firewall rule in site B to allow the traffic from site A to site C
    4) Add the ipsec_route through the console at site B (system ipsec_route add net a.b.c.d/e.f.g.h tunnelname <tunnelname>) as shown above by Vishal_R.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Unfiltered HTML