Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 7053 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Source NAT on UTM 9

Huwy
hi there,

I've been asked to look at setting up a VPN tunnel to another company.

As they have a lot of VPNs they specify a remote IP address for each 3rd party.
This is in the form 172.18.x.x/29
They suggest using source NAT with this.

Can anyone advise if this configuration is possible on a Sophos UTM 9? I have never setup a VPN in this way before.

Cheers,
H


This thread was automatically locked due to age.
  • 0
    I have to set this up too in a short while.
    I think the right way is to create a SNAT rule where your original IP-address is SNATTED to the 172.18.x.x/29 address.
    Traffic from: your own IP-addresses
    Using service: any (or a more restricted set of protocols)
    Going to: the IP-addresses on the remote site of the tunnel
    Change the source to: the specified 172.18.x.x/29 address.

    If you have a lot of clients where you have to do this (actually you have max. 8 IP-addresses with /29) you could perhaps also use 1:1 NAT with map source so you can catch it in just one rule.

    I think this should work as the UTM first does NAT before anything else. I think in this case however you need to specify the 172.18.x.x/29 as your local subnet in the VPN setup.

    Please let us know if this indeed does work as expected (then I know my thinking was good) [;)]

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Hi, if you mean for the systems inside your firewall, then you can do a SNAT.

    Balfson has lots of posts about NAT'ing VPNs... 
    https://www.google.com/search?q=snat+OR+nat+vpn+balfson+site%3Aastaro.org

    Barry
  • 0
    Hi, I don't think doing it on the external interface is a good idea, then how is the remote end going to respond?

    Also, responsible ISPs won't allow those addresses onto the internet.

    Barry
  • 0
    If you specify "Going to" to be the remote subnet of the tunnel, wouldn't UTM route it into the tunnel in stead of to the external interface?

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Hi,

    I think that'd bread the VPN traffic.

    I believe an SNAT for the LAN/DMZ hosts should have the desired effect, and probably be less confusing.

    Barry
  • 0
    Just tried this on another VPN-tunnel I have running and it seems to work as I wrote above.
    When selecting SNAT under Advanced you can (and must) select "Rule applies to IPsec packets" otherwise it doesn't work.

    In fact I think we are talking about the same, SNATting the LAN addresses to the specified addresses that the other party requests to use.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    The other trick is that you can't have 'Strict routing' selected for an IPsec tunnel.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner