DNAT VPN SDWAN

Hello,

Thank you for contacting Sophos Community!

Could try adding the static route for the destination via XFRM interface?

Also, make sure that we have route precedence set as static, VPN and SDWAN.

Do you have sys-gen Traffic for SD-WAN enabled? https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANRoutes/RoutingSDWANRoutesBehavior/index.html#reply-packets 

Hello, I followed the procedures, and with the static route, it worked. However, doesn't this method mean that I would no longer use SLA and the load balancing of the SD-WAN profile, even if it's just a route for a single host

Hi LuCar Toni 

Yes it is currently enabled

Hello,

Thank you for the update. I could assume that when we only routes the traffic via SDWAN, the firewall does not add the destination in their routing table. You may add the static route for the same destination via another XFRM interface with metric and distance. However, I shall check internally if there is any other way around.

support.sophos.com/.../KBA-000007806

Could it be possible to change SDWAN route destination to "original IP" instead of "translated networks - 172.20.x.x" and verify once?

Hello Mayur Makvana 

thank you for the information provided

Hello sanket.shah ,

Let me know if I’ve misunderstood. The 'real IP' you mentioned, would that be the public IP I’m using to reach the host specified in the DNAT rule? If so, would I need to create another SD-WAN route above this one to avoid affecting other subnets? Since I have services running on these subnets that cannot be interrupted, I will need to schedule a time to test

You can update current SDWAN route also if this route is created for DNATed traffic only. If this SDWAN route covers other traffic as well then I would suggest to put one SDWAN route below first and check (if that doesn't work, please also try by putting it above).

 Hi Alves ,

I believe we shall have to continue with the steps provided earlier of adding static route.