Sophos XGS: DNAT Through Routed VPN

Question

Hello everyone, 
 I am attempting to redirect all requests made to 192.168.10.5 to 172.16.10.5. The VPN is working properly on both sides. 
 Sophos XGS: DNAT Through Routed VPN 
 Details: 
 #VPN Working 100% LOCAL-LAN: 192.168.10.0/24 (Sophos) REMOTE-LAN: 172.16.10.0/24 (pfSense) 
 #Servers Old Server: 192.168.10.5 New Server: 172.16.10.5 
 I've set up a DNAT rule as follows: 
 Source: 192.168.10.0/24 Original Destination: 192.168.10.5 Translated Source: Original Translated Destination: 172.16.10.5 
 I've also tried adding a DNAT rule via the console, both independently and in conjunction with the above rule, but with no success: 
 set advanced-firewall sys-traffic-nat add destination 172.16.10.5 snatip 192.168.10.5

PhilippRusch · Accepted Answer

Hello, 
 you are trying to reach a server at 192.168.10.5 /24 from the local LAN with 192.168.10.0 /24. 
 This traffic will never hit the router (= gateway), because that traffic is inside your LAN and will stay there, no need to involve the gateway. 
 So basically, you can configure very sophisticated rules and settings at the Sophos XGS, but that won't work. 
 Are you trying to avoid changing the Server-IP at the clients?

LuCar Toni · Answer

True, i missed this: 
 Maybe PFsense is solving this differently, but what you have here is: As there is no device to answer to this IP in your network, SFOS will also not do an ARP for it. The client will reach out with an ARP to look for 192.168.10.5 - But SFOS is not responsible for it - So it will not answer and the SYN Paket will never be send. 
 You can workaround this by putting the ALIAS IP of 192.168.10.5 on the LAN interface of the SFOS Firewall. Therefore we will reply to the ARP and then the connection will be routed.

Sreenivasulu Naidu · Answer

Hi FMXio, you may consider WAF over RBVPN IPsec to achieve what you have described. You will have to use RBVPN with local and remote subnets as Any and Any on SFOS. 
 https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/WebServerProtection/WAF/Rules/WAFSDWANRoutes/index.html

Sreenivasulu Naidu · Answer

Or you can follow the suggestion given by me @ RE: force outgoing through the xfrm interface if that works. 
 In the NAT rule of SFOS, either chose MASQ if xfrm ip to be used or keep it as 'Original' and configure 192.168.10.5 on the LAN port of SFOS.

Sophos XGS: DNAT Through Routed VPN

Top Replies