Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT over IPSeC Site-to-Site VPN

Greetings fellow members,

I have 2 networks with 1 sophos firewall each, network A (Public IP/80.80.80.128, Local Network/192.168.20.1/24) and network B (Local Network 192.168.10.1/24).

Sophos B XGS107 (SFOS 19.5.3 MR-3-Build652)

Sophos A XG135 (SFOS 18.5.2 MR-2-Build380)

IPSeC gateway A 172.16.21.1

IPSeC gateway B 172.16.21.254

I have complete connection from one network to another meaning firewall rules from both sides, i m trying to place a NAT translation to access a network recource in network B (192.168.10.105:8022) altought i get the hits to NAT rule in packet capture i get the result that it violates firewall.

Do I need to configure firewall B too (altought I have tried with inside NAT and firewall rules)

Any ideas would be helpful.

Kind regards,

Roubos Dim



This thread was automatically locked due to age.
Parents
  • Hi Dimitris.

    Thank you for sharing the network topology; this is how I understand it.

    You did mention that you’re configuring a NAT. Can you explain this further? Are you mapping 192.168.10.105:8022 to a different IP, and what is that IP? Since 192.168.10.105 is in firewall B, I suggest creating the NAT rule from there and using MASQ as the translated Source.

      

    It would also be helpful if you could send us a screenshot of the packet capture error, Firewall rule, and Nat rule.

  • The topology is right the DNAT is a pretty simple NAT and also I tried a full NAT witout any positive results.

    Port 2 is the public IP of the Network A (80.80.80.128) the service port 8022 and CAMERA_KALAMARIA  IP 192.168.10.105. Here's the results from the packet capture

     

  • Do you have a firewall rule? 

    Because the packet capture states a violation, which means, no Firewall Rule is applied.

    __________________________________________________________________________________________________________________

  • Hi  , is your tunnel policy based or route based? your xg135 is pretty old release, you may consider upgrading it to 19.5MR3 or so. If your tunnel is policy based, do you have the NAT'ed n/w (or host) in your local subnet on xg135 and remote subnet on xgs107?

Reply Children