Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple nat on single ipsec tunnel

Hi,

 

Currently I am migrating from old ASA to XG and I need to mimic setup I had on ASA. With one of our partner we have IPSEC VPN tunnel with multiple NAT rules. In short:

- There are 3 internal networks on my side (192.168.x.a/24, 192.168.x.b/24, 192.168.x.c/24)

- There are 2 servers on partner side ( s1, s2 ) and one network (192.168.z.d/24)

- My network 192.168.x.a/24 should be nated to 10.x.y.z when accessing s1

- My networks 192.168.x.b/24 and 192.168.x.a/24 should be nated to 10.x.y.d when accessing s2

- Partner network 192.168.z.d/24 will access server in 192.168.x.c/24 using 10.x.y.d address on their side

So far my understanding is that nat from my side I can configure in IPASEC VPN configuration tab in network details but there is no way to specify different NAT depending on destination. So first question is how in XG I can configure different NAT depending on destination - should I configure it as firewall rule? If so what should be set as gateway for traffic to go into IPSEC tunnel.

Second topic is how to configure Business application rule to expose my server to network on other end of ipsec tunnel. What is source zone - VPN? In allowed networks I am assuming I should enter remote network?

As usual any help appreciated :)

Pawel 



This thread was automatically locked due to age.
Parents
  • Hi Pawel,

    Select Site-to-Site in the connection type of IPSec tunnel, you will the NATed LAN box. 

    Please raise a new question for the Business Rule configuration. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Sachin,

     

    This unfortunately doesn't solve my problem/question. I did configure site-2-site VPN but in NATed LAN box I can specify only NAT rules based on source network (unless I am missing something). What i need is info how to configure NAT based on both source AND DESTINATION address and this NAT needs to be applied for traffic going into IPSEC tunnel. Are You saying that in such case I need to configure nothing in IPSEC and move whole NAT configuration to firewall rules?

     

    Thanks

    Pawel

Reply
  • Sachin,

     

    This unfortunately doesn't solve my problem/question. I did configure site-2-site VPN but in NATed LAN box I can specify only NAT rules based on source network (unless I am missing something). What i need is info how to configure NAT based on both source AND DESTINATION address and this NAT needs to be applied for traffic going into IPSEC tunnel. Are You saying that in such case I need to configure nothing in IPSEC and move whole NAT configuration to firewall rules?

     

    Thanks

    Pawel

Children