This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sending Remote access traffic through Site-to-site VPN, with 1:1 nat translation

Hi,

 

I have searched for an answer to this, but am unable to find a result which includes a 1:1 NAT.

Here is the scenario: 

Remote User -(SSL Remote Access VPN)-> Sophos UTM 9 -(IPSEC Site-to-site VPN)-> Partner servers

We have a requirement for remote users to access partners servers. Our Remote Access VPN is on the default SSL VPN subnet (10.242.2.0/24), but our partner has the requirement that traffic is sent from the 10.156.1.0/24 subnet.

The site-to-site VPN is established and working, showing up at both ends. Local network on my end is set to be 10.156.1.0/24.
I have created a 1:1 NAT rule to change traffic from remote users, going to partner network, to map the source as 10.156.1.0/24. 
Automatic firewall rules have been set up for both the S2S VPN, and NAT rule.
I have added the Partner network to the local networks section in the Remote Access VPN setup. 

 

Here is my NAT Rule:

Rule Type: 1:1 NAT (whole networks)
Matching Condition
For Traffic from: VPN Pool (SSL)
Using service: Any
Going to: [Partner Network]
Action
1:1 NAT mode: Map source
Map to: [PartnerRequiredSource] - 10.156.1.0/24
Automatic Firewall Rule - Yes

My questions are:

1. First of all, is this possible? I see no reason as to why it would not be. 
2. Is the 1:1 NAT rule set up correctly?
3. Do I need a 1:1 Map Source NAT rule for traffic coming back? I have created this, but no success with this on or off. 

Thanks for reading, hope it all makes sense. 



This thread was automatically locked due to age.
  • Hi,

    Just a quick follow up...

    I presumed it was not working on my side as I set up two connections (this one and one without the 1:1 NAT Rule), and neither were working. It turns out configuration issues on the other ends of both tunnels were causing the connections not to work. 

     So to answer my questions:

    1. Yes, it is possible
    2. The NAT Rule is set up correctly
    3. No, a 1:1 Map Source NAT rule is not needed for the connections to work

    Thanks

  • Hi Colin, and welcome to the UTM Community!

    What I understood from the above should not work.  If it is working, please show us pictures of the Edits of the SSL VPN Profile, the IPsec Connection and Remote Gateway.

    Here's what I know works:

    IPsec: 10.159.1.0/24<->{your public IP}<--->{Partner's public IP}<->{Partner's Server subnet}
    SNAT : 10.242.2.2 -> Any -> {Partner's Server subnet} : from 10.159.1.2 Rule applies to IPsec packets
    SNAT : 10.242.2.6 -> Any -> {Partner's Server subnet} : from 10.159.1.6 Rule applies to IPsec packets
    Etc.

    Or, if no one is concerned about separate, specific IPs, just a single NAT rule:

    SNAT : 10.242.2.0/24 -> Any -> {Partner's Server subnet} : from 10.159.1.2 Rule applies to IPsec packets

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA