Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port forwarding WAN to Route based VPN

I have 2 XG ver. 20 firewalls between 2 sites, both with Static public IP.

There is a SDWAN route based VPN between the 2 sites, and it works perfect. the roude precedence is SDWAN, Static, VPN.

I am trying to publish an internal server resource that resides in Site A, using the Site B WAN.

There is a firewall rule on Site B - Allow WAN to VPN, with specified TCP port number, and also a NAT rule to DNAT to the internal server.

It does not work. The packets arrive on the Site B WAN interface, and are sent out immediately on the same WAS interface, even there is an SDWAN policy to send anything destined for Site A LAN over the VPN.

I had tried using Source NAT rule as well, but the packets still exit the same WAN interface.



This thread was automatically locked due to age.
Parents Reply
  • The DNAT wouldn't help me either, becasue i want that the server in Site A to get real clients IP address.

    So I want the packet just be routed over the VPN from Site B all the way to the server in Stie A with the original source IP.

    The reply packet from the server is handled by an SD-WAN rule on site A:

    it all works, but the only issue is that the Site B XG must use a static route, instead of SD-WAN

Children
  • Why you have switched surce & dst-ports within service definition?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • you are seeing the SD-WAN rule from SiteA where the rds server is located.

    This RDS server will reach out to the internet using it's own WAN, but will use the VPN route to accept incoming RDS sessions.

    The only issue we have is on Site B where we must use use a static route, otherwise it doesn't follow the SD-WAN rule

  • Hello  ,

    Could you please try using "public ip" instead of "DNATed IP (Store LAN)" as a destination in SDWAN route configured on Site-B? Better to use specific service traffic also as a matching criteria otherwise all WAN destined traffic could get affected.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • That wouldn't work, as it will require 2 dnat rules, and it wouldn't be encrypted through ipsec