Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1391 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT of IPSec traffic problem

bpopov
172.25.0.117 


This thread was automatically locked due to age.
  • 0
    Hi, if you're using a site-to-site IPSEC tunnel, you should be able to add both networks to the configuration (local networks / remote networks) and it should 'just work' (as long as you have firewall rules allowing the traffic).

    Barry
  • 0
    Hi, bpopov, and welcome to the User BB!

    I think what Barry is saying is that a DNAT and a VPN Tunnel are two different solutions and don't work well together.  In general, your IPsec endpoint will not be visible to an IP in the tunnel on the other side.

    Please explain what you wnat to accomplish - I think it's a lot easier with the UTM than you expect.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Bob,

    The below may offer you a better idea of what we're thinking of doing. There are a couple of uplinks on local end and we wanted HOST_B (192.168.5.1) to be accessible via distinct PUB_IPs from the remote end, one for each link, the software knows to try both if either is unavailable. Any feedback is greatly appreciated. 

        HOST_A           PUB_IP         GW_IP                     GW_IP           PUB_IP            HOST_B

    

    (172.25.0.117) - 60.67.25.117 - 60.67.56.147 - TUNNEL A -  98.97.182.82  -  98.97.182.89   - (192.168.5.1)

    (172.25.0.118) - 60.67.25.118 - 60.67.56.147 - TUNNEL A -  98.97.182.82  -  98.97.182.89   - (192.168.5.1)

    

    (172.25.0.117) - 60.67.25.117 - 60.67.56.147 - TUNNEL B - 203.130.128.98 - 203.130.128.101 - (192.168.5.1)

    (172.25.0.118) - 60.67.25.118 - 60.67.56.147 - TUNNEL B - 203.130.128.98 - 203.130.128.101 - (192.168.5.1)
  • 0
    Do you already have two VPN tunnels to which you want to add this?

    Are there really only two HOST_A IPs on the left side?  And only a single HOST_B IP on the right side?

    Are 98.97.182.82 and 203.130.128.98 IPs on external interfaces of the UTM, or are those the default gateways for the other IPs actually on the UTM?

    If you could do this with NAT and avoid VPNs altogether, would you?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Bob,

    It looks like the issue had to do with local service definitions having "interface" specified, when they shouldn't have and a missing ACL on the other side. Once corrected, DNAT appears to work just fine on the packets arriving via IPSec.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML