Full NAT for device accessed via VPN Site-to Site

Hello people,
 
I created an incoming firewall rule, Full NAT, forwarding traffic arriving on TCP port 37777 on a public IP alias, to a DVR device that is in a branch office, connected to the main office via IPSEC VPN site-to-site with Sophos XG and pfSense, the VPN tunnel is online and the computers that are on the pfSense network, browse the inernet passing through the tunnel, exiting the Sophos XG WAN.
 
The Full NAT rule is not working, packets are not arriving at the DVR equipment that is at the branch office.
 
Does anyone have any ideas ?

  • Hi  

    Please make sure that DVR IP address is added in the Remote Subnet at the XG IPsec configuration and Local Subnet at pfsense in IPsec configuration

    VPN to LAN and LAN to VPN

    WAN to VPN and VPN to WAN firewall rules should be configured 

    Please verify with the packet capture - https://community.sophos.com/kb/en-us/123189

  • In reply to Keyur:

    Yes, the networks are declared in the tunnel, local and remote network at each end.


    For example, the computers on both networks communicate with each other and the computers on the pfSense network are able to browse the internet, passing through the tunnel, arriving at the XG WAN interface.

  • In reply to IvanildoGalvão:

    Hi  

    Thank you for the information, could you please use the packet capture and capture the traffic for DVR IP using string host DVR IP address. Please initiate the traffic and see if the traffic is sending out from the IPsec tunnel or not.

  • In reply to Keyur:

    In addition:

    A tcpdump output from the console or advanced shell.

    Thanks

  • In reply to lferrara:

    I used tcpdump, it seems to me that the packets are being forwarded in the correct way, even so the DVR does not respond, maybe it is turned off, or it does not have the gateway configured correctly to be able to answer requests, I will ask the Customer support check it out.

    Below the result of tcpdump, what do you think?

     

    05:19:36.944039 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2034, length 40
    05:19:41.651678 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2035, length 40
    05:19:46.650094 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2036, length 40
    05:19:51.664565 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2037, length 40
    05:19:56.663421 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2038, length 40
    05:20:01.662290 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2039, length 40
    05:20:06.662012 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2040, length 40
    05:20:11.660749 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2041, length 40
    05:20:16.659018 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2042, length 40
    05:20:21.655925 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2043, length 40
    05:20:26.656046 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2044, length 40
    05:20:31.654816 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2045, length 40
    05:20:32.127968 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:33.140875 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:35.147356 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:36.658909 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2046, length 40
    05:20:39.155631 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:41.663703 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2047, length 40
    05:20:46.663806 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2048, length 40
    05:20:47.158784 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:51.654851 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2049, length 40
    05:20:53.165413 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:54.174684 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:56.181022 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:56.659622 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2050, length 40
    05:21:00.193390 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:21:01.665507 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2051, length 40
    05:21:06.664653 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2052, length 40
    05:21:08.195919 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:21:11.662344 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2053, length 40
    05:21:14.209219 Port7, OUT: IP My public ip here at work.65488 > DVR LAN IP.37777: Flags , seq 1435340121, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:21:15.220604 Port7, OUT: IP My public ip here at work.65488 > DVR LAN IP.37777: Flags , seq 1435340121, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:21:16.658735 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2054, length 40
    05:21:17.233365 Port7, OUT: IP My public ip here at work.65488 > DVR LAN IP.37777: Flags , seq 1435340121, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

  • In reply to IvanildoGalvão:

    Correct!

    Traffic from XG is forwarded to the DVR device but it never gets back. Check the default gateway on the DVR device.

    Alternative, try to ping a device on the same lan where the DVR is placed and check if you get ping reply.

    Using traceroute on the remote pc is possible. This sort of command are not available, most of the time, on DVR devices.

    Regards

  • In reply to lferrara:

    According to the customer, all DVRS are connected and the gateway is correctly configured.


    This scenario was working, when the edge firewall was Fortigate, now it's Sophos XG 135, which is working well, it has 3 active internet links and all site-to-site VPNS are online, the computers behind of these VPNS, they are able to browse the internet, leaving over the XG WAN.
    I'm not able to see what else can be done for NAT services to work.

  • In reply to IvanildoGalvão:

    Perform a traceroute from the customer side and post the output.

    Regards

  • In reply to lferrara:

    In traceroute, machines normally leave one network to another through the IPSEC tunnel.


    At the moment only the NAT of the published services is not working, the packets arriving at the public IP addresses in each Alias, are not delivered to the devices behind and each tunnel in the branches.

  • In reply to IvanildoGalvão:

    Actually SNAT is not possible in Firewall in V17.

    SNAT is done in the IPsec Tunnel in V17 (Policy Based).

    https://community.sophos.com/kb/en-us/123356

     

    In V18 you could move to Route Based VPN (VTI) and could use the NAT in firewall for D and SNAT (Full NAT). 

  • In reply to LuCar Toni:

    The LAN network is different in location, the attached image shows what I need.

     

  • In reply to IvanildoGalvão:

    Ivanildo,

    Can you try the following solution?

  • In reply to lferrara:

    Thank you, solved with this solution.

    system ipsec_route add net <Network Address> tunnelname <tunnel>

  • In reply to IvanildoGalvão:

    Hi  

    We glad that issue is resolved.

    Thank you  for sharing your expertise.