Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing instead of NAT

We are in the middle of a SD-WAN deployment. In our design we have branch offices with firewalls that connect into our SD-WAN vendors device.  We connect to the SD-WAN device with a private IP of 10.255.x.x  and it will route the traffic based on its network destination. Either to another branch location or up to a network based firewall. 

 

What I am seeing with the Sophos devices is from the network based firewall side all traffic is coming from the Sophos IP that is connected to the SD-WAN device.  This limits our ability to restrict internet destined traffic based on the underlying subnets in the branch location.  So is there a way to turn off NAT and allow the internet destined traffic going to the network based firewall to see the underlying network?

 

This is a rough diagram

 

Sophos(10.255.x.2) -->SD-WANDevice(10.255.x.1)-->MPLS-->Networkbased Firewall or another Branch site. 

 

One other question has been to take the firewall out of the equation all together. I am hesitant to do this because we still like the IDS\IPS and deep packet inspection of the firewall over using the SD-WAN device, which will only do stateless firewalling.  Also, unknown to us the design does not have multipath capability to get out on the internet. Meaning if the MPLS circuit goes down, internet ceases to function. Meaning we will in a fail situation require internet destined traffic to go straight out the SD-WAN device. 

 

Opinions on if we should chuck the firewalls and if there is a way to drop NAT?

 



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi JeffTarnowski,

    In your scenario you would need to setup SD-WAN connection as a gateway and do not configure firewall rule with NAT/Masquerading. If this does not work you can try creating policy route and you would have the option to select the SD-WAN as a gateway for outbound traffic.

    Thanks,