This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow IPSec from certain endpoints, deny the rest

I understand I need to create a blackhole DNAT to block inbound IPSec traffic. What I also need to do is allow a few endpoints to establish a tunnel. To me, this means I need two NAT rules -- one to passthru legit IPSec and the other to blackhole.

I've created two DNAT rules but the passthru rule isn't being matched. Before I turn up the blackhole DNAT I want to make sure the legit traffic will match the correct translation. Screenshot of the passthru NAT attached. Thanks.

Jack

This thread was automatically locked due to age.

Top Replies

Vivek Jagad over 1 year ago in reply to Jack Valko +2 verified

Yes, in an scenario to drop packets from unwanted sources from the internet, black hole DNAT is highly recommended here.

0 Vivek Jagad over 1 year ago

Hello Jack Valko ,

Thank you for reaching out to the community, you create a deny service rule for the endpoints you want to deny and then create a allow service rule for the rest of the endpoint.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jack Valko over 1 year ago

Hi Vivek,

Thanks for your reply. Unfortunately, your suggestion wont work because I only want to allow 2 IPs to connect with IPSec, and the rest of the Internet is denied. Also, it appears a blackhole DNAT is the only way to deny inbound IPSec to the firewall. I tried with a deny rule but it never matched.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Vivek Jagad over 1 year ago in reply to Jack Valko

Yes, in an scenario to drop packets from unwanted sources from the internet, black hole DNAT is highly recommended here.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +2 Vote Down

Cancel