Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 7190 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Site-to-Site SNAT not working

Kosta88

Hello,

I have two Sophos, SG125 and home-built, one at home and one at work.

I either connect with RemoteSSL from my client to work, or I establish a Site-to-Site between home and work. SG125 at work is a "server", home Sophos is a "client".

I am using SNAT to translate SSL-Pool to an Internal Network at work, because otherwise I can't access one further router.

 It seems that the SNAT rule that works with RemoteSSL (I check that by simply tuning the rule on/off), but doesn't work with SSL Site-to-Site. Can it be? Or is there some other setting that might cause the problem?

Btw. tried with IPSEC S2S, same outcome.

 Any ideas please?

Thank you.



This thread was automatically locked due to age.
  • 0

    I know this works with IPsec, but haven't tried it with the SSL VPN site-to-site.

    Please show pictures of the SSL Server Connection and the relevant NAT rules on both sides.  Also, a simple stick diagram that shows the real IPs on each side.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to Kosta88

    What happens if you add a NAT rule like the following?

    SNAT : Home Network -> Any -> {network group} : from Internal (Address)

    Cheers - Bob
    PS Rather than NATs, I would have preferred to add routes in the other router to "Home Network" and "VPN Pool (SSL)".

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you, that worked out. I certainly forgot that in S2S the correct entry is indeed my home-network, and not the VPN-Pool. I actually went (for the first time ever) and looked into tracing packets, and finally ended up doing tcpdump, which quickly revealed to me what's wrong - and that you were right.

    Now, what's the thing with Routes, can you elaborate that a little bit better please? I don't think I can solve the translation into other network without doing NAT...?

  • 0 in reply to Kosta88

    One of the unwritten rules here is "one topic per thread" - that's to make it easier for future members to find an answer to a question that's already been answered without starting a new thread.  Please ask your second question in this or the Network Protection forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Didn’t you suggest an alternative solution above about adding routes instead of nat? I merely didn’t understand it.

  • 0

    Yeah, sorry, I'd forgotten that and I was also thinking about a RED tunnel solution I did recently.  In fact, assuming that the further router at work has the SG 125 as its default gateway d that the UTM already has a route to the subnet behind the further router, no additional routes or NATs should be required...

    When working with two UTMs connected with a site-to-site, I change the "VPN Pool (????)" objects in one to avoid possible conflicts.  For example "VPN Pool (SSL)" = 10.242.2.0/24 in the office and 10.242.12.0/24 in your home.

    If the office UTM is the server side of the SSL VPN site-to-site, add the network on the other side of the further router to 'Local Networks' and {10.242.2.12.0/24} to 'Remote Networks'.  Load the new client into the home UTM and you should be good to go.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML