This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT to Subnet behind Remote RED because of same IP Ranges

Hello together,

 

We are having a SG230 with actual 5 RED 15w Devices to Remote Branch-Offices. This is working fine.

Actual we have IP 10.16.0.0/24 on Headquarters and on each Branch Office IP like 10.16.20.0/24. 
Now, we should integrate an existing network on each Branch with existing Devices. On each Side we install an L3 Switch ad route between the Subnets.

The Problem is, that this machine network has the same IP Range on each Branche office 192.168.34.0/24.

 

How can I solve this?? I spend many time in testing with destination NAT and 1:1 Nat from Headquarter, but without success. 

 

Perhaps someone can help to find the right way

 

Thank you in advance

best regards

Joachim



This thread was automatically locked due to age.
  • This is a real pain in the *ss. From where do you need to reach those "same" subnets? Do you need to reach every of these subnets from every other location?

    Please explain in more detail from where you need to access which subnets.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I want to reach this Subnets mainly from the Headquarter Network 10.16.0.0/24.

    I thought I can define a virtual Subnet, f.e 10.17.20.0/24, and define a 1:1 Translation into 192.168.34.0/24 on remote side.

    As a secound I have to route the Subnet to physical remote Router 10.16.20.253

    But it doesn't work.

    The Connection /Routing between the two subnets on remote side is working fine.

  • Your dnat (which is what Ziel zuordnen really is) will not work since HQ doesn't know where to deliver this traffic. You are right that using NAT can be a solution in these cases, but this is usually done between to firewalls in an IPSEC tunnel. Then you can put the "virtual" range inside the tunnel and use NAT rules to translate the virtual range back to the real range. I don't think this is possible using RED networking, since there is no device on the remote end that can translate the virtual range back to the real range.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi, Joachim, and welcome to the UTM Community!

    Like apijnappels says, this won't work without a router at the other end.  You would have had to have purchased an AP15 and an SG 115 with a Network Protection subscription instead of a RED 15 at each site, and that would have doubled your cost for the remote sites.  As it is, you're stuck with having to change the subnetting in four sites.

    Sorry to be the bearer of bad news along with apijnappels.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for your reply.

    I was afraid, to get this confirmation.

    We will use different Ip Ranges in future Offices, but have to find a solution for the existing 4 affiliates.

     

    Would bei the  RED50 an Option? I never used it before.

    But if i understand it in the right way, i can define a second Interface. There I can direct connect the 192.168.34.0 Network and can use the virtual Network range with a 1:1 Nat on this Interface.

     

    will this work?

    regards

    joachim

     

  • I'm afraid it also won't work with RED50. You could use a small UTM device (SG1x5 ie) with the right license on it (network protection I believe), you can create a site-to-site connection to HQ and use NAT for these IP-ranges.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • That will not work.  Another solution would be to use an inexpensive PC with 2GB of RAM, at least a 60GB hard drive and two GB Ethernet ports.  You should compare that cost to an SG 105.  You could then use a Free Essentials License to create your Source and Destination NAT rules in each location.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA