I have a question regarding SNAT over an IPSec Tunnel. We have the following configuration:
10.248.178.xxx/32 --> NAT: All our communication has to go through this ip.
The Tunnel iniates and the SA's are online
It's working if i I do a 1:1 NAT
But we have to do the followoing:
All our Networks (not just 1) must use an IP of the Local Subnet if they want to communicate with the remote Subnet. We've build a firewall rule with masquarading (eg: used IP = 10.248.178.xxx)
This does not seem to work. The traceroute is telling us the Packages wont go through the Tunnel but the route Lookup is recognisizing that the IP we are trying to communicate with is behind an IPSec Tunnel.
Can you help me with finding a solution to this problem?
Hi Bao Phong Nguyen Please refer to the below given articles.https://community.sophos.com/kb/en-us/123320https://community.sophos.com/kb/en-us/123356
KeyurCommunity Support Engineer | Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link
I followed Both KB's:
We have the prerequisite that all our Networks have to use the Local subnet as the outgoing IP
Like I said if I Try to NAT only 1 Network it works perfectly fine. Clients in that Network can communicate through the Tunnel without Problems. But I dont see how i can NAT all Networks to that 1 local Subnet.
I've tried making copies of local subnet and nat them. But as soon as i do only 1 of the Networks can communicate through the tunnel (luck which one connects first) and the other 2 cannot communicate
They way to get it to work is the following.
In the IPsec tunnel under VPN, Remove all NAT settings, just add it as a normal tunnel without nat.
Log in the the CLI of the firewall and selct option 4 and add a Ipsec route entry for the network you would like to access.
system ipsec_route add net 195.200.xxx.0/255.255.255.0 tunnelname "the name of the tunnel" Remove the " when using the command.
Add a firewall rule the uses NAT with that IP-address and have all the networks that should go in to that tunnel in the rule.
Thank you so much. That was the solution :D
Glad to be of service.
Just to refresh this topic: XGv18 supports a SNAT within the IPsec Tunnel.
Simply use a custom object, not MASQ in the NAT Rule.