Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 39 subscribers
  • Views 2096 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static NAT from Cisco ASA

Jason Trafny

I'm sure this has been answered but with no search option that I can find and having gone through over 40 pages of posts I've decided to ask the question.

We have moved from a Cisco ASA to Sophos XG.  We are running the XG230 on firmware 17.5.9 MR-9. We are simply trying to duplicate the settings we have on the ASA that works to the Sophos.  Cisco calls this a static or 1:1 NAT and the purpose is for a backup VPN connection for a vendor that supplied a Juniper for this VPN connection.

The goal is to have a public IP address that the vendor uses create a VPN tunnel to the Juniper.  We restrict access to two IP address that they provide and allow all ports and protocols.

On the ASA we have port 0/3 configured with a VLAN using IP address 192.168.253.1.  Then we have a static NAT pointing the public IP address to the IP of the Juniper (192.169.253.10) that is plugged into Port 0/3.  Then we have ACL rules allowing their IP to that static NAT address.

On the XG what we've done is configure Port 3 as a DMZ interface with the IP address 192.168.253.1. Then under firewall rules we have a DNAT configured with the Source being WAN and the destination being the public IP address with a Forward to the DMZ zone we created 192.168.253.10 address of the Juniper for the server (nothing in mapped ports).  We also have masquerading checked with the public IP address set as the outbound address.

We also have created a SNAT to essentially go the other direction. Source is the DMZ zone we created and the Device is the 192.168..253.10 address of the Juniper. Destination is the WAN with masquerading checked here with the outbound IP set to the Public IP address and the primary gateway is set to Outside.

On both these rules we have hosts set up for the IP addresses that we want to allow.  For testing purposes I've added a third IP address.  The problem is the vendor is claiming they are not seeing the tunnel come up.  I can get to the Juniper using SSH and HTTPS but I have not access to log in.  I worked with Sophos support the other day and he created a third rule which I have since disable as it broke the vendors ability to SSH, they could still reach the Juniper by HTTPS.

It's interesting to me that with these settings I can connect to the device via SSH and HTTPS but it's not building their VPN tunnel.  I want to make sure that I have things configured properly before I try to get the vendor and Sophos on the phone at the same time.



This thread was automatically locked due to age.
  • 0

    Hi  

    It would be great if you could share the Network Diagram to understand the scenario.

    VPN means IPsec VPN, please correct me. 

    Are forwarding Ports and building a tunnel on the same public IP configured on the XG firewall?

    IPsec VPN used Port 500 and 4500 and if they are used in DNAT, IPSec will not be getting established.

    It would be great, if you could provide information for the configuration you want to achieve on XG firewall, we will be glad to assist you further.

    Please PM us the service request number to check.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    I've sent you a PM.  Here is the same information for anyone else that is reading.

    Here's a quick diagram of how devices are connected in the setup with the Cisco ASA.  We simply need to mimic this setup and in Cisco terminology it is called a 1:1 or static NAT.

    The goal is to allow all traffic (ports, protocols - no service restrictions) to the Juniper using the public IP address XXX.XXX.XXX.XXX.  This public IP address needs to be a NAT to the Juniper interface that is plugged into Port 3 with the IP address 172.16.253.xx. This public IP address is not the same address as the WAN port.  When traffic leaves the Juniper it should be going out the WAN using the same public IP address that with incoming traffic.

    On the Cisco we have port 3 configured with a VLAN, that VLAN is assigned IP address 172.16.253.1
    The Juniper interface with IP 172.16.253.10 is plugged into Port 3 on the Cisco
    We have a static NAT with the public IP address XXX.XXX.XXX.XXX pointing to the Juniper IP 172.16.253.10
    Then we have ACLs configured to allow all traffic to and from specific Fiserv public IP addresses

    In a failover we change routes for Fiserv traffic to point to the Inside address of the Fiserv Juniper which then will send traffic down the tunnel that is built between the Juniper and one of the Fiserv allowed IP addresses using the public IP address XXX.XXX.XXX.XXX

     

Unfiltered HTML