Hi,
We are using a Sophos UTM 120 in a remote office, with a site-to-site VPN with a Cisco ASA. I have a couple of NAT specific questions regarding this:
We got the site-to-site VPN working fine, however, we wanted to configure the UTM DNS service to forward specific domains to AD DNS servers. This wasn't working.
After working out that clients connecting either from the Cisco network to the UTM internal network, or clients on the UTM connecting to the Cisco network were fine, we looked at the UTM box for issues.
After doing some investigation, I found that the UTM was using the WAN IP as the source address for outgoing connections from itself to the VPN subnet. This meant that connections from its DNS server was failing to get to the AD DNS servers, and I couldn't ping servers from the UTM box on the Cisco network either.
After head scratching we managed to solve the issue, I just wonder whether it was the best solution, or if there is something else we needed to do:
We solved the issue by creating a SNAT rule as follows:
Traffic source: External WAN address
Traffic destination: a network definition containing the subnets of the Cisco network
Traffic service: Any
Source address: The UTM LAN-side address.
This works - we can now ping all the relevant hosts on the Cisco network from the UTM box, as well as access those hosts (i.e., DNS forwarders work).
My second question is regarding masquerading NAT. We have a couple of networks on the UTM box, such as the main office LAN, wireless networks etc. Do I need a separate masquerading NAT entry for each network going out to the Internet, a single rule containing a network definition for each of the internal UTM networks or something else? What is the best way of doing this?
Thanks for any advice offered.
Andrew.
This thread was automatically locked due to age.
