How to configure full NAT to server over IPSec Site-to-Site VPN

Question

Hi Looking for some asistance. 
 I am by no means an expert on firewalling except for what i have taught myself. 
 I am using Sophos XG v18 Virtul Machines on both sites. (My Network is sort of a Advanced home Network/Test Lab) 
 I have 2 Sites that are connected via IPsec S2S vpn. 
 My current setup looks something like the below: 
 Network #1 
 Internal Ips: 172.16.0.0/24 - 172.16.1.0/24 - 172.16.2.0/24 External Ip: 1.1.1.1 Network #2 Internal Ips: 172.16.4.0 External Ip: 2.2.2.2 
 Server IP 172.16.4.5 
 
 IPSec Tunnel between the 2 XG's (No NAT configured) 
 
 Now i am trying to acccess a web server on Network#2 via Network#1's External IP on Port 80 
 I have read the forums tried Google Searching and found that people have been able to succesfully configure this. 
 I have tried following along and configuring as best as i can a replica of what they have done but just nothing seems to work. 
 I am convinced that i need to configure a Full NAT but at the same time trying to figure it out on V18 has wrecked my brain. 
 any help would be appreciated (With Pictures of the setup also please) 
 
 I do appolagise if this has been addressed in the past and i have not seen it.

Tauriq Ridley · Accepted Answer

Vishal_R LuCar Toni & 
 Thank you so much for your help. 
 I managed to get it working today by cleaning up some of the existing firewall and NAT Rules and than following your guids step by step. 
 I cant believe i struggled for so long and In hindsight it was actually really easy to do if you know how.

Vishal_R · Answer

Hi Tauriq Ridley : Thank you for connecting Sophos community team. Over a firewall that contains external IP 1.1.1.1, you may configure DNAT over the VPN (as your destination server is over VPN for this firewall). Reference steps: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/CreatingDNATRuleWebServer.html https://support.sophos.com/support/s/article/KB-000035604?language=en_US Once DNAT configuration is done, you may add a manual IPSec route and system-generated NAT via the below command. console> system ipsec_route add host 172.16.4.5 tunnelname Execute the following command to NAT Sophos Firewall generated traffic: console> set advanced-firewall sys-traffic-nat add destination 172.16.4.5 snatip Please refer to below scenario ( Syslog over VPN) to get more information on why IPSec route and SNAT is required. https://support.sophos.com/support/s/article/KB-000035820?language=en_US I n your case, in place of Syslog it is your webserver which you have published on WAN IP 1.1.1.1 of FW-1.

LuCar Toni · Answer

Delete the SNAT Rule on Cli. Instead do the same in the NAT rule on Webadmin. Use a custom source host.

How to configure full NAT to server over IPSec Site-to-Site VPN

Top Replies