Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 1747 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trouble routing a packet from site A via site B to site C (with SNAT)

apijnappels

I have something strange for the following situation.

VPN connection between site A and site B (tried both policy-based and route-based) and a policy-based VPN-connection between site B and site C.

Intention is to reach site C from site A while there is no possibility to add Site A's subnet to the tunnel between B and C. Therefore from B the traffic should be SNATted to a site B ip-address.

  • Site C's subnet is in the tunnel between site A and site B.
  • Site A can succesfully reach resources at site B.
  • Subnet Site A: 10.0.0.0/24
  • Subnet Site B: 192.168.21.0/24
  • Subnet Site C: 10.23.1.0/24

At site B we did a packet capture to see what happens with the traffic and this is what happens with a ping from site A to site B, which is expected output, packet comes in gets forwarded, reply comes in and gets forwarded back to source:

However, when pinging to site C we see the packet arriving on ipsec0 just as above, then the second packet is weird; it lists traffic from ipsec0 to ipsec0 as status Generated (and not forwarded) with the source and destination address inverted and from the pinging station at site A they receive a really strange output:

  • I tried adding ipsec_route to 10.23.1.0/24 net from the console at site B
  • tried it without the ipsec_route
  • for route-based VPN I also created a SD-WAN route to 10.0.0.0/24 network to the tunnel interface
  • Route precedence is: VPN, SD-WAN, Static
  • tried to NAT traffic for 10.23.1.0/24 with firewall rule with Linked NAT rule
  • tried to NAT this subnet directly from the policy based ipsec connection

Most of the time it is just a request timeout and at some config we got the above strange output from ping.

Site A is a OPNsense firewall, site B is the Sophos XG with 19.5.3 MR-3 version on it. Site C has Cisco firewall IIRC.

I don't know what else I can try or where I am making a thinking fault. I have similar setups on other sites where traffic from A is SNATTED at B to C and they all work flawlessly, but not on this occasion.

Anyone have a clue what I'm missing and why the packet capture status says Generated instead of Forwarded?



This thread was automatically locked due to age.
Parents
  • 0

    My thought here is: Why using a Firewall in between, both could connect between each other, if that is needed. 

    And why do you have to NAT? 

    When you reach Site C, can you also show us the packet capture? And also show us the NAT rule you are using. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I'm only managing site B. Site A is managed by customer, site C is managed by other party and is unwilling to make changes, they simply request us to just NAT the traffic. So I don't know if the traffic ever reaches C, but on other sites with similar setups this has never been a problem. There I see the Ping-traffic with status incoming, followed by status forward and the reply-traffic is also first incoming followed by a forward. In this latter case I can also clearly see the "translated IP" traveling between B and C.
    In my current issue, I don't see the translated IP but instead the original source and the destination addresses just seem to be swapped

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0 in reply to LuCar Toni

    I'm only managing site B. Site A is managed by customer, site C is managed by other party and is unwilling to make changes, they simply request us to just NAT the traffic. So I don't know if the traffic ever reaches C, but on other sites with similar setups this has never been a problem. There I see the Ping-traffic with status incoming, followed by status forward and the reply-traffic is also first incoming followed by a forward. In this latter case I can also clearly see the "translated IP" traveling between B and C.
    In my current issue, I don't see the translated IP but instead the original source and the destination addresses just seem to be swapped

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data
Unfiltered HTML