Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 723 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add NAT through Site to Site VPN

AquilesMarrero

Hi,

i have a Site to Site VPN with a customer, Local Network /29 and Remote Network /24. The remote site NATs 2 IPs of my Local Network to connect to QA and PROD https servers 1:1

I'm trying to create a rule that allows 4 /24 segments to connect to those https servers NATing 2 of the /29 based on destination. The problem is that the FW thinks the traffic is going WAN and not trough the VPN zone.  

is there a way that traffic goes to the other site and find the host with the NAT?

Regards,

 

AM

 

 

 

  



This thread was automatically locked due to age.
Parents
  • 0

    If you have the option for Route based VPN (VTI) go for it, it is much easier to NAT.

    If you have to do Policy based VPN, you need to perform SNAT in the VPN Tunnel config via drop down. https://support.sophos.com/support/s/article/KB-000035848?language=en_US

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello,

    I have SFOS 17.5.13 MR-13

    The other side gave me the /29 segment to NAT all connections. Them they create a rule to allow 1 ip address to connect https to 1 ip in the other side and add another to connect to other ip.

    So, all the traffic of my LAN zone that goes to x.y.0.52 have to be NATed with a.b.241.1 and if is going to x.y.0.53 have to be NATed with a.b.241.2

    The rule is working but it identifies the remote network as a WAN zone, no a VPN zone.

    The other side is another company and i can't change configurations.

    AM

     

     

     

Reply
  • 0 in reply to LuCar Toni

    Hello,

    I have SFOS 17.5.13 MR-13

    The other side gave me the /29 segment to NAT all connections. Them they create a rule to allow 1 ip address to connect https to 1 ip in the other side and add another to connect to other ip.

    So, all the traffic of my LAN zone that goes to x.y.0.52 have to be NATed with a.b.241.1 and if is going to x.y.0.53 have to be NATed with a.b.241.2

    The rule is working but it identifies the remote network as a WAN zone, no a VPN zone.

    The other side is another company and i can't change configurations.

    AM

     

     

     

Children
  • 0 in reply to AquilesMarrero

    Ask the other site, if VTI / Route based is possible. Likely it is. Would be more easily to configure. 

    Your NAT is not working, it is actually applying the traffic to WAN Zone and not in the Tunnel. 

    __________________________________________________________________________________________________________________

Unfiltered HTML