Connect external offices each others

Question

Hello All, We are migrating to Sophos SG330, I have some doubts because there is not corrispondence between Cisco Asa and Sophos. 
 I would like to permit to our branch offices to communicate each other. We use IPSEC VPN tunnel. I think I should create a natting rule between each of them, isn't right? In practice (is a example): 
 
 EXTERNAL OFFICE 1 HEADQUARTER EXTERNAL OFFICE 2 EXTERNAL OFFICE 3 192.168.XX.XX 10.36.YY.YY 192.168.ZZ.ZZ 172.16.XX.XX I need that Office 1 can reach Office 2 and Office 3 and viceversa, obviously all offices must speak with headquarter :-) Which Type of NAT I should use? Or, what should I do for let ours offices "talk"? 
 
 Thanks so much! Alessandro

sachingurung · Accepted Answer

Hi Alessandro, 
 Refer the guide here to configure IPSec on UTM. You need to add the remote networks in remote gateway configuration. 
 Thanks

zaphod · Answer

Hi Alessandro, 
 best is to avoid using NAT.. in your example you need nat so office 1 can speak to office 2. 
 best is here to fix your networks.. e.g. use 192.168.1.0/24 for office 1 and 192.168.2.0/24 for office 2. No nat needed then. 
 you need at least 3 ipsec-vpn-tunnels all from hq to the offices. 
 also you can define a full meshed network so you need 3 ipsec-vpn-tunnels from each location to the others... depends on your needs and rules.

zaphod · Answer

Hi, 
 - define transfer net on office 1, choose a network for you dont use.. eg. 172.16.90.0/24 
 - define SNAT on office 1 for traffic to office2 snatting to transfer net 
 - ipsec tunnel from office 1 to office 2 must use transfernet in definition. 
 then it is possible to communicate...