Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 17015 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How SNAT through existing IPSec tunnel - routing problem

astiadmin

Hello anyone,

I have the following problem:

I have a site-to-site IPSec VPN up and running between our SG120 and a customers Cisco ASR Router. However I am not able to get my traffic through the tunnel.

The problem is - as I assume - that I was given an IP address from the customer that I should use as the source IP within the tunnel. This IP is from a public range (66.x.x.x). Now this IP is specified at my side as the local network for my IPSec definition. Otherwise the tunnel will not come up.

When I try to ping any IP on the remote side I don't receive a reply. Also the guy from the "other side" doesn't see any requests from my network through the tunnel. That is no wonder as a traceroute is going out to the internet.

How am I supposed to configure my UTM to send traffic for the destination through the tunnel with the given IP as source address?

Any help is appreciated.

Thanks

Daniel



This thread was automatically locked due to age.
  • 0 in reply to astiadmin

    first check if the traffic is nattet and will go into the tunnel.

    easiest way to do that is a manual firewall rule for the tunnel traffic and set the rule to log.

    then open debug window in paket-filter and check if traffic flow into the tunnel. you should see the natting also in the debug. 

    if that is all ok then yes... the other side needs to check their config again...

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    also you need a snat rule for every remote network you defined in your ipsec tunnel.

    its not a good practice to use groups here... i have seen configs with groups which did not work as expected... maybe bug in UTM..

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    Hi zaphod,

    I have already configured multiple SNAT rules for each destination network. I just put only one screenshot here for simplicity.

    Also I have an answer from the customer now that told me that not all ports are open and ICMP is blocked for example. Harhar... :-(

  • 0 in reply to astiadmin

    grmpf..... seems all problems are on the customers side ;-)

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    just a question: what do you mean by "then open debug window in paket-filter and check if traffic flow into the tunnel". it that the firewall log? I see that the NAT rule is applied but I don't see if the traffic reaches the tunnel. how can I check that?

  • 0 in reply to astiadmin

    yes i mean firewall live log.

    depends on which rule you use... if automatic then you can change the automatic rule to log the traffic.

    if you manual add the firewall rule for the tunnel traffic then you have to enable logs there to see your traffic.

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to astiadmin

    Thank you very much for your help. It turned out now that on our side everything is ok. I verified in a remote session with the customer that traffic generated for the remote network goes through the tunnel and reaches the other side but there is a problem over there. I consider it fixed on my side. :-)

  • 0 in reply to astiadmin

    No Problem :-)

    Please mark this thread as answered...

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

Unfiltered HTML