Sophos XGS: DNAT Through Routed VPN

RE: Sophos XGS: DNAT Through Routed VPN

FMXio — Thu, 14 Nov 2024 12:47:51 GMT

Hello Naidu! Thank you. I'll check it out later. I actually sorted that issue out after adding an alias like Toni mentioned.

RE: Sophos XGS: DNAT Through Routed VPN

FMXio — Thu, 14 Nov 2024 12:34:26 GMT

Toni, I appreciated it! This one worked beautifully.Thanks!!

[quote userid="45582" url="~/sophos-xg-firewall/f/discussions/147982/sophos-xgs-dnat-through-routed-vpn/548618"]You can workaround this by putting the ALIAS IP of 192.168.10.5 on the LAN interface of the SFOS Firewall. Therefore we will reply to the ARP and then the connection will be routed. [/quote]

RE: Sophos XGS: DNAT Through Routed VPN

Sreenivasulu Naidu — Thu, 14 Nov 2024 11:42:49 GMT

Or you can follow the suggestion given by me @ RE: force outgoing through the xfrm interface if that works.

In the NAT rule of SFOS, either chose MASQ if xfrm ip to be used or keep it as 'Original' and configure 192.168.10.5 on the LAN port of SFOS.

RE: Sophos XGS: DNAT Through Routed VPN

Sreenivasulu Naidu — Thu, 14 Nov 2024 04:57:50 GMT

Hi FMXio, you may consider WAF over RBVPN IPsec to achieve what you have described. You will have to use RBVPN with local and remote subnets as Any and Any on SFOS.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/WebServerProtection/WAF/Rules/WAFSDWANRoutes/index.html

RE: Sophos XGS: DNAT Through Routed VPN

FMXio — Wed, 13 Nov 2024 19:47:51 GMT

Hey, I confess I thought about it, but with so many ideas at the same time, this one just disappeared. Now, after setting up this alias, the regular DNAT on the GUI interface is registering logs. That rule in the console, 'set advanced-firewall sys-traffic-nat add destination 172.16.10.5 snatip 192.168.10.5', didn't work. Thanks!!!! I'll keep finding a solution, and now I can capture packets and think better...

RE: Sophos XGS: DNAT Through Routed VPN

PhilippRusch — Wed, 13 Nov 2024 18:20:31 GMT

THAT sounds like a solution - good point!

RE: Sophos XGS: DNAT Through Routed VPN

LuCar Toni — Wed, 13 Nov 2024 18:17:39 GMT

True, i missed this:

Maybe PFsense is solving this differently, but what you have here is:
As there is no device to answer to this IP in your network, SFOS will also not do an ARP for it.
The client will reach out with an ARP to look for 192.168.10.5 - But SFOS is not responsible for it - So it will not answer and the SYN Paket will never be send.

You can workaround this by putting the ALIAS IP of 192.168.10.5 on the LAN interface of the SFOS Firewall. Therefore we will reply to the ARP and then the connection will be routed.

RE: Sophos XGS: DNAT Through Routed VPN

FMXio — Wed, 13 Nov 2024 17:43:43 GMT

Thanks for your input, Philipp! Actually, I'm trying to redirect all the requests made from 192.168.10.0/24 to a server at 192.168.10.5 (Local-IPSec VPN) to another server (via IPSec VPN) at 172.16.10.5.

RE: Sophos XGS: DNAT Through Routed VPN

PhilippRusch — Wed, 13 Nov 2024 17:22:42 GMT

Hello,

you are trying to reach a server at 192.168.10.5 /24 from the local LAN with 192.168.10.0 /24.

This traffic will never hit the router (= gateway), because that traffic is inside your LAN and will stay there, no need to involve the gateway.

So basically, you can configure very sophisticated rules and settings at the Sophos XGS, but that won't work.

Are you trying to avoid changing the Server-IP at the clients?

RE: Sophos XGS: DNAT Through Routed VPN

FMXio — Wed, 13 Nov 2024 16:24:16 GMT

Thanks, LuCar, I'm reading up on 'Sophos Firewall: Routing in Sophos Firewall with SD-WAN PBR ' right now. Appreciate it!"

RE: Sophos XGS: DNAT Through Routed VPN

LuCar Toni — Wed, 13 Nov 2024 16:14:39 GMT

You should look into this: Sophos Firewall: Routing in Sophos Firewall with SD-WAN PBR

Basically: You need a NAT + Routing to get this running. Because NAT will only translate, but the firewall needs the route as well. Use static routing or SD-WAN Routing.

RE: Sophos XGS: DNAT Through Routed VPN

FMXio — Wed, 13 Nov 2024 15:13:58 GMT

I remember doing it in pfSense once, but I didn't imagine it would be so hard in Sophos XGs.

Firmware - SFOS 20.0.2 MR-2-Build378

[quote user="FMXio"]

Hello everyone,

I am attempting to redirect all requests made to 192.168.10.5 to 172.16.10.5. The VPN is working properly on both sides.

Sophos XGS: DNAT Through Routed VPN

Details:

#VPN Working 100%
LOCAL-LAN: 192.168.10.0/24 (Sophos)
REMOTE-LAN: 172.16.10.0/24 (pfSense)

#Servers
Old Server: 192.168.10.5
New Server: 172.16.10.5

I've set up a DNAT rule as follows:

Source: 192.168.10.0/24
Original Destination: 192.168.10.5
Translated Source: Original
Translated Destination: 172.16.10.5

I've also tried adding a DNAT rule via the console, both independently and in conjunction with the above rule, but with no success:

set advanced-firewall sys-traffic-nat add destination 172.16.10.5 snatip 192.168.10.5

[/quote]