Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10888 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

URGENT: NAT traffic across IPsec VPN from same Subnet

David Fox

LAN A 10.x.x.0/24
LAN B 192.168.11.0/24
LAN C 192.168.11.0/24

Currently LAN A has an IPsec VPN setup to LAN B which works fine, but now LAN C needs to be connected, but network needs to use 192.168.137.0/29 across new IPsec VPN.

I am new to Sophos, so bare with me.

LAN C has a Sophos UTM running 9.406-3 (not latest), and from what I have read I tested two sets of configuration with little success:

1. Add 'Additional Address of 192.168.137.0/29' under Interfaces ahead of maybe using Masquerading Rule but as I go to enter the new address I get "
Interface address is invalid because it is a network or broadcast address of the network '192.168.137.0/29'.

2. Add 1:1 NAT rule on LAN C UTM to NAT LAN C 192.168.11.0/24 to LAN A 10.x.x.0/24 mapped as 192.168.137.0/29 but I get "Cannot create 1:1 NAT rule with networks of different sizes."

I am sure this is something stupid, so hoping someone can get back to me asap :)



This thread was automatically locked due to age.
Parents
  • 0

    You can use NAT to achieve what you want, basically what you do is the following:

    The best way would be to use a /24 network since that is also what you use locally. /29 is really small (only 8 addresses including broadcast and network address, so only 6 usable addresses). So 192.168.137.0/24 would be much easier.

    If you still must use /29, then know that you can only reach 6 IP-addresses over the tunnel. If these are also 192.168.11.1 - 192.168.11.6 then you can simply create a network definition for this (192.168.11.0/29) and then you can use 1:1 NAT using this definition, otherwise you'll need to create separate NAT rules for every IP-address that you use (so for a maximum of 6).

    On UTM LAN A

    Create a remote gateway with the 192.168.137.0/29 subnet and use that in site-2-site connection

     

    ON UTM LAN C

    Create an IPSec connection with 192.168.137.0/29 as local subnet

    Create DNAT rule(s) where you translate incoming traffic on 192.168.137.x to 192.168.11.x

    Create SNAT rule(s) where you change the source to 192.168.137.x for traffic from 192.168.11.x  going to 10.x.x.x

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0

    You can use NAT to achieve what you want, basically what you do is the following:

    The best way would be to use a /24 network since that is also what you use locally. /29 is really small (only 8 addresses including broadcast and network address, so only 6 usable addresses). So 192.168.137.0/24 would be much easier.

    If you still must use /29, then know that you can only reach 6 IP-addresses over the tunnel. If these are also 192.168.11.1 - 192.168.11.6 then you can simply create a network definition for this (192.168.11.0/29) and then you can use 1:1 NAT using this definition, otherwise you'll need to create separate NAT rules for every IP-address that you use (so for a maximum of 6).

    On UTM LAN A

    Create a remote gateway with the 192.168.137.0/29 subnet and use that in site-2-site connection

     

    ON UTM LAN C

    Create an IPSec connection with 192.168.137.0/29 as local subnet

    Create DNAT rule(s) where you translate incoming traffic on 192.168.137.x to 192.168.11.x

    Create SNAT rule(s) where you change the source to 192.168.137.x for traffic from 192.168.11.x  going to 10.x.x.x

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data
Unfiltered HTML