Currently I am migrating from old ASA to XG and I need to mimic setup I had on ASA. With one of our partner we have IPSEC VPN tunnel with multiple NAT rules. In short:
- There are 3 internal networks on my side (192.168.x.a/24, 192.168.x.b/24, 192.168.x.c/24)
- There are 2 servers on partner side ( s1, s2 ) and one network (192.168.z.d/24)
- My network 192.168.x.a/24 should be nated to 10.x.y.z when accessing s1
- My networks 192.168.x.b/24 and 192.168.x.a/24 should be nated to 10.x.y.d when accessing s2
- Partner network 192.168.z.d/24 will access server in 192.168.x.c/24 using 10.x.y.d address on their side
So far my understanding is that nat from my side I can configure in IPASEC VPN configuration tab in network details but there is no way to specify different NAT depending on destination. So first question is how in XG I can configure different NAT depending on destination - should I configure it as firewall rule? If so what should be set as gateway for traffic to go into IPSEC tunnel.
Second topic is how to configure Business application rule to expose my server to network on other end of ipsec tunnel. What is source zone - VPN? In allowed networks I am assuming I should enter remote network?
As usual any help appreciated :)
Select Site-to-Site in the connection type of IPSec tunnel, you will the NATed LAN box.
Please raise a new question for the Business Rule configuration.
Sachin Gurung Team Lead | Sophos Technical Support Knowledge Base | @SophosSupport | Video tutorials Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
This unfortunately doesn't solve my problem/question. I did configure site-2-site VPN but in NATed LAN box I can specify only NAT rules based on source network (unless I am missing something). What i need is info how to configure NAT based on both source AND DESTINATION address and this NAT needs to be applied for traffic going into IPSEC tunnel. Are You saying that in such case I need to configure nothing in IPSEC and move whole NAT configuration to firewall rules?
Hi Pawel ,
Let me Simulate the scenario and will give configuration as well
Aditya PatelGlobal Escalation Support Engineer | Sophos Technical SupportKnowledge Base | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'This helped me' link.
I have a similar issue but only a single local network going to 2 partner networks.
-My network is 10.0.0.0/24 and should be NAT'd to 172.22.208.0/26 when accessing either partner network.
-Partner network 1 is 188.8.131.52/24
-Partner network 2 is xxx.xxx.204.0/23
IPsec Network Details:
Local Subnet: 172.22.208.0/26
NATed LAN: 10.0.0.0/24
Remote LAN Network: 192.168.99.0/24 and xxx.xxx.204.0/23
When performing a packet capture for ping we saw that the outgoing interface was Port2 (WAN) rather than the ipsec tunnel. The route was configured manually via CLI to use the tunnel. Then when running a capture again, we saw the interface was ipsec0 and source was 10.0.0.20 and the destination was xxx.xxx.204.5 as seen below. Which is good. But no packets were sniffed out on the partner side. The NAT is configured the way that Sachin suggested, but how to check or verify the NAT table? Or is there separate rule that needs to be created in addition?
14:45:41.881 Port1, IN: In aa:bb:cc:dd:ee:ff ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 22888, offset 0, flags [none], proto ICMP (1), length 60) 10.0.0.20 > xxx.xxx.204.5: ICMP echo request, id 1, seq 18953, length 4014:45:41.880 ipsec0, OUT: Out ff:ee:dd:cc:bb:aa ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 127, id 22888, offset 0, flags [none], proto ICMP (1), length 60) 10.0.0.20 > xxx.xxx.204.5: ICMP echo request, id 1, seq 18953, length 40
I have Simulated the Environment you have requested .
In my Scenario.
Local Network 10.10.40.0/24
Communication with Site B 10.10.10.1 with Nat address 184.108.40.206
Communication with Site B 10.10.10.129 with Nat address 220.127.116.11
Configuration on Rules
Rule 1 LAN to VPN , Source Zone LAN , Destination Zone VPN , Source Network (Local Network), Destination IP SERVER_A 10.10.10.1 address , NAT policy 18.104.22.168
Rule 2 LAN to VPN , Source Zone LAN , Destination Zone VPN , Source Network (Local Network), Destination IP SERVER_B 10.10.10.129 address , NAT policy 22.214.171.124.
Rule 3 VPN to LAN , Source Zone VPN, Destination Zone LAN, Source Network ANY, Destination ANY , NAT policy None.
Configuration ON Tunnel
Local Subnet : 10.10.40.0/24 , 126.96.36.199/24 (NAT Network DUMMY to Establish SA)
Remote Subnet : 10.10.10.0/24
Rule 1 LAN to VPN , Source Zone LAN , Destination Zone VPN , Source Network ANY, Destination IP ANY address , NAT policy None
Rule 2 VPN to LAN , Source Zone VPN, Destination Zone LAN, Source Network ANY, Destination ANY , NAT policy None.
Local Subnet : 10.10.10.0/24 ,
Remote Subnet : 10.10.40.0/24, 188.8.131.52/24 (NAT Network DUMMY to Accept NATTED address )
I will try tonight. One more thing - did You try using only NAT Network DUMMY in Tunel configuration.
Yes The Dummy Network is used as same as NATTED address in your case 10.x.x.x/subnet
I did test it and it works partially. From my observation it looks like I always have to add local subnet to tunnel configuration. If I am not mistaken XG sends traffic to ipsec tunnel based on original address and only then applies firewall rules which do NAT. If this is the case - is there way to do NAT first and than after NAT send traffic through ipsec?
Yes , it would first have the IPsec Routes in the route table then it would identify which route to send the traffic. Once it came onto LAN then it would pass through the VPN based on the firewall rules. If we apply the NAT , it would NAT before sending out to VPN tunnel . But In the Tunnel configuration you would need to include both NAT network and Local Network for route and accept connection on remote end that would be accomplish when the SA is established.
Do You know the trick to do NAT first and only than send traffic through VPN? Is there a way to create fake network, send traffic to this network using firewall rule to do NAT and only then send taffic back to sophos to send it through ipsec tunnel? Sorry for this long thread but migrating from Cisco is little difficult as Cisco works opposite - first NAT and then ipsec.