Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 2810 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT Question

Steve Klassen

Just a question here. I have a red device in a small office(lets call it 192.168.10.0). That red device is connected to an xgs firewall(firewall 1, 192.168.20.0), and this firewall has a vpn connection to firewall 2(192.168.30.0). The vpn only passes traffic between the 192.168.20.0 and 192.168.30.0 networks. I wanted to allow one ip on the 192.168.10.0 network to talk to one ip on the .30 network. I tried to set up a NAT on firewall 1 to SNAT traffic from the .10 ip and replace the source with the .20 network internal interface. Nothing i did would make this work. Any Ideas?

|RedDevice| ->>  xgs firewall 1  ->> VPN ->> xgs firewall 2



This thread was automatically locked due to age.
  • 0

    Hello Steve Klassen,

    Greetings!

    If your RED setup with Standard/Split method, it will not send the traffic of the 192.168.30.0 traffic on SophosXG1. You shall have to add the network 192.168.30.0 in RED accessible resources and later firewall rule and NAT rule which is created should work as you mentioned. Just made sure that the RED to VPN and VPN to RED rules are created.

     

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Should work.
    Can you find the traffic within logviewer?
    Would you show us the NAT-Rule?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Mayur Makvana

    Our RED is in standard\unified mode, so all traffic from .10 should be delivered the .20 firewall.

    The .10 network is part of the LAN zone on the .20 firewall

    The .10 network and the .20 network can already communicate so no firewall rules needed. The .20 network and .30 network also can communicate already, so no firewall rules needed.

  • 0 in reply to dirkkotte

    I did a packet capture, and the capture showed "incoming" and "consumed" packets. The capture had no details for the packets though. Just the log of the packets, but when you click on each to inspect it... there is no data in there.

  • 0 in reply to Steve Klassen

    Hello Steve Klassen,

    Could you please share us the packet capture by using below string?

    host 192.168.30.253 or host 192.168.10.5 or host 192.168.20.253

    Let us know what rule and NAT ID being marked? Is it the same NAT ID marked as you created or is it marking different?

    Also, you will need RED to VPN and VPN to RED rule as traffic reaches in from RED and has to be forwarded to VPN. 

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Steve Klassen

    Why do you send a mail to the firewall IP (192.168.30.253)?
    What should the firewall do with the mail?
    Can you show us the block-line from log-viewer?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    We use it as a mail relay.

    The firewall already relays mail for all our networks. Just not this one RED location. It's our only RED site.

    There is no block line that I can see.

  • 0 in reply to Steve Klassen

    do you NAT the other networks too?

    a packetcapture at both firewalls would be the next stp.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Unfiltered HTML