Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 901 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC TUNNEL MASQUERADING PROBLEME

Franz-Josef Heidkamp

Hallo Community,

ich möchte zu einem ISP einen IPSEC Tunnel aufbauen.
Nun möchte der ISP nicht meine kompletten Adressbereiche durch seinen Tunnel schieben, was natürlich auch logisch ist.

Ich bin dann auf das masquerading gestossen oder auch snat genannt.
Ich habe aber irgendwie kein Plan wie ich das anstellen muss.
Der Tunnel an sich ist für die IP Adresse der Sophos eingerichtet und steht.
Als Lokales Subnetz habe ich die IP 172.22.0.4 genommen und als entferntes Netz das 192.128.2.0/24 (Achtung veränderte demo Ranges)

Jetzt zu meinem Problem bzw Frage: Wie sage ich meiner Sophos das die Anfragen zum 192.128.2.0/24 er Netz gehen sollen nur von der 172.22.0.4 gemacht werden sollen?
Ich stehe total auf dem Schlauch irgendwie. 
Mir konnte der Support auch nicht weiterhelfen und hat auf die Community verwiesen.

Mit freundlichem Gruss
Franjo



This thread was automatically locked due to age.
  • 0

    Entschuldiging für Antwort in English.

    I'm not quite sure I understand your current setup and where you use which IP-addresses, but what is quite usual is that addresses inside a tunnel need to be translated.

    Say your local address range is: 192.168.150.0/24 but you need to use 172.22.0.0/24 as the tunnel local address you then need to configure

    A DNAT rule for traffic arriving from the other side:

    Source: 192.168.2.0/24
    Destination: 172.22.0.0/24
    Translate destination to: 192.168.150.0/24 (you may only need to translate a few addresses and not 1:1 DNAT but the idea is the same)

    You also need a SNAT rule for traffic TO the other side:

    Source: 192.168.15.0/24
    Destination: 192.128.2.0/24
    Translate source to: 172.22.0.0/24

    Again if you only need to use 172.22.0.4 then you just add that as translated source instead of the whole /24 network and instead of 1:1 SNAT.

    Does that answer your question?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hello apijnappels,

    thx for your support :-)

    I will try your solution, did i setup the the dnat and snat at the Firewall as "Business Application Rule" ?

     

     

    Thank you in advance

  • 0 in reply to Franz-Josef Heidkamp

    I'm afraid I can't help you as good with that since your screenshot shows XG firewall instead of UTM (that is the subforum where you asked your question).

    You might want to ask your question here.

     

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Ohh thats the wrong Threat , my fault Thank you 

Unfiltered HTML