Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
This applies to the following Sophos products and versions
Sophos Firewall v18, v19
Overview
This Recommended Read assumes you already have a working IPsec tunnel.
Note: This RR might also help you troubleshoot connectivity issues when the IPSec tunnel is UP but there are no replies to Pings or other types of connectivity.
When testing connectivity or due to some specific policies, we want traffic coming from the other end of the tunnel to be seen by our LAN devices as if the connection is coming from the XG itself.
By default traffic coming from the IPsec to the devices on the LAN will be seen by them with the original address used on the tunnel, which in some situations will cause some devices using Local Firewalls not to reply to this traffic as Local Firewall by security won't reply to IPs, not in the same Broadcast domain (Network range). Or in some scenarios for security reasons, you don't want your LAN to see traffic from a different subnet.
In these cases, it is an excellent idea to MASQUERADE the incoming IPsec traffic to the LAN, as if it were coming from the XG local interface.
What to do
In our scenario, we are receiving pings from 10.10.10.0/24 subnet, coming from the IPSec tunnel, destined to a computer on the LAN zone with IP 172.16.15.100
Our computer is responding because we have disabled the local Firewall of the computer, but maybe we don't want to do that or it is not an option to disable the Local Firewall.
What we can do at the XG level to resolve this is to MASQUERADE this traffic so the end device sees it as it was coming from the XG Interface where the device is connected to.
Our XG has an IP of 172.16.15.254 and the Computer 172.16.15.100, so we will configure the XG so that the traffic arriving at the Computer is MASQUERADE as 172.16.15.254.
How-To
1. Go to Rules and policies >> NAT Rules Add NAT rule >> Enter a name >> and configure the NAT rule as follows:
Translation settings
Original Source = Network configured as Remote Subnets in the IPsec configuration
Original Destination = ANY
Original Service = ANY
Translated source (SNAT) = MASQ
Translated destination (DNAT) = Original
Translated service (PAT) = Original
Interface matching criteria
Inbound interface = ANY
Outbound interface = Port1
Related Information:
Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key
Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI
Regards,
Updated Disclaimer
[edited by: Erick Jan at 12:39 PM (GMT -7) on 17 Apr 2023]