Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 7055 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Source NAT on UTM 9

Huwy
hi there,

I've been asked to look at setting up a VPN tunnel to another company.

As they have a lot of VPNs they specify a remote IP address for each 3rd party.
This is in the form 172.18.x.x/29
They suggest using source NAT with this.

Can anyone advise if this configuration is possible on a Sophos UTM 9? I have never setup a VPN in this way before.

Cheers,
H


This thread was automatically locked due to age.
Parents
  • 0
    I have to set this up too in a short while.
    I think the right way is to create a SNAT rule where your original IP-address is SNATTED to the 172.18.x.x/29 address.
    Traffic from: your own IP-addresses
    Using service: any (or a more restricted set of protocols)
    Going to: the IP-addresses on the remote site of the tunnel
    Change the source to: the specified 172.18.x.x/29 address.

    If you have a lot of clients where you have to do this (actually you have max. 8 IP-addresses with /29) you could perhaps also use 1:1 NAT with map source so you can catch it in just one rule.

    I think this should work as the UTM first does NAT before anything else. I think in this case however you need to specify the 172.18.x.x/29 as your local subnet in the VPN setup.

    Please let us know if this indeed does work as expected (then I know my thinking was good) [;)]

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Reply
  • 0
    I have to set this up too in a short while.
    I think the right way is to create a SNAT rule where your original IP-address is SNATTED to the 172.18.x.x/29 address.
    Traffic from: your own IP-addresses
    Using service: any (or a more restricted set of protocols)
    Going to: the IP-addresses on the remote site of the tunnel
    Change the source to: the specified 172.18.x.x/29 address.

    If you have a lot of clients where you have to do this (actually you have max. 8 IP-addresses with /29) you could perhaps also use 1:1 NAT with map source so you can catch it in just one rule.

    I think this should work as the UTM first does NAT before anything else. I think in this case however you need to specify the 172.18.x.x/29 as your local subnet in the VPN setup.

    Please let us know if this indeed does work as expected (then I know my thinking was good) [;)]

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Children
No Data
Cookie Information Banner