Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec with NAT assistance

ctadrus
Having trouble with IPSec configuration.  Polices and keys don't seem to be the issue since  phase I is established but still having problems getting remote hosts to connect to local host.  

Scheme is this...

Remote Network domain = xx.yy.zz.0/27
Remote host(s) will connect to local host using ***.yyy.zzz.120
Local host is actually using address aaa.bbb.ccc.99 

So NAT is set to xx.yy.zz.0/27 > any service > ***.yyy.zzz.120 > DNAT > aaa.bbb.ccc.99 using auto firewall rules

I'm a end-user so log is not very helpful to me.  What am I missing?  

Thanks in advance for the help.


This thread was automatically locked due to age.
Parents
  • 0
    I think I speak for everyone when I say this scenario doesn't make a whole lot of sense.  If you are trying to establish an IPSec VPN between two sites with non-overlapping address space being the sources of 'interesting traffic' you should not need a DNAT rule of any sort.  The tunnel should allow you to route traffic to and from either side with NO translation.  Could you maybe try explaining why the DNAT rule is even there?

    Thanks,

    Chris
Reply
  • 0
    I think I speak for everyone when I say this scenario doesn't make a whole lot of sense.  If you are trying to establish an IPSec VPN between two sites with non-overlapping address space being the sources of 'interesting traffic' you should not need a DNAT rule of any sort.  The tunnel should allow you to route traffic to and from either side with NO translation.  Could you maybe try explaining why the DNAT rule is even there?

    Thanks,

    Chris
Children
No Data