This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port forwarding WAN to Route based VPN

Geniux 7 months ago

I have 2 XG ver. 20 firewalls between 2 sites, both with Static public IP.

There is a SDWAN route based VPN between the 2 sites, and it works perfect. the roude precedence is SDWAN, Static, VPN.

I am trying to publish an internal server resource that resides in Site A, using the Site B WAN.

There is a firewall rule on Site B - Allow WAN to VPN, with specified TCP port number, and also a NAT rule to DNAT to the internal server.

It does not work. The packets arrive on the Site B WAN interface, and are sent out immediately on the same WAS interface, even there is an SDWAN policy to send anything destined for Site A LAN over the VPN.

I had tried using Source NAT rule as well, but the packets still exit the same WAN interface.

This thread was automatically locked due to age.

Top Replies

Vivek Jagad 7 months ago in reply to Geniux +1 suggested

Hi Geniux , thank you for reaching out to the community, you can refer - Configure a DNAT with route-based VPN .

Parents

0 dirkkotte 7 months ago

Can you show us the route precedence and the SD-WAN Route?
Are there other sd-wan routes (or other static routes)

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Geniux 7 months ago in reply to dirkkotte

SD-WAN route, Static route, VPN route.

there is ony 1 SD-WAN route:

The only way I can get the packets to exit the VPN xfrm interface, is by adding a static route. not sure why.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 7 months ago in reply to Geniux

Hi Geniux , thank you for reaching out to the community, you can refer - Configure a DNAT with route-based VPN.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 dirkkotte 7 months ago in reply to Geniux

please show us the SD-WAN Profile ... or try to switch to "primary/sec gateway"

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Geniux 7 months ago in reply to Vivek Jagad

The DNAT wouldn't help me either, becasue i want that the server in Site A to get real clients IP address.

So I want the packet just be routed over the VPN from Site B all the way to the server in Stie A with the original source IP.

The reply packet from the server is handled by an SD-WAN rule on site A:

it all works, but the only issue is that the Site B XG must use a static route, instead of SD-WAN
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte 7 months ago in reply to Geniux

Why you have switched surce & dst-ports within service definition?

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dirkkotte 7 months ago in reply to Geniux

Why you have switched surce & dst-ports within service definition?

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Geniux 7 months ago in reply to dirkkotte

you are seeing the SD-WAN rule from SiteA where the rds server is located.

This RDS server will reach out to the internet using it's own WAN, but will use the VPN route to accept incoming RDS sessions.

The only issue we have is on Site B where we must use use a static route, otherwise it doesn't follow the SD-WAN rule
Cancel
Vote Up 0 Vote Down

Cancel
0 sanket.shah 7 months ago in reply to Geniux

Hello Geniux ,

Could you please try using "public ip" instead of "DNATed IP (Store LAN)" as a destination in SDWAN route configured on Site-B? Better to use specific service traffic also as a matching criteria otherwise all WAN destined traffic could get affected.

Regards,

Sanket Shah

Director, Software Development, Sophos Firewall
Cancel
Vote Up +1 Vote Down

Cancel
0 Geniux 7 months ago in reply to sanket.shah

That wouldn't work, as it will require 2 dnat rules, and it wouldn't be encrypted through ipsec
Cancel
Vote Up 0 Vote Down

Cancel