UTM with NATed VPN to Fortigate 2600f

Hi

please help is needed would someone point me in the direction for information on how to set up a NATed VPN on a UTM9?

While i have set up many VPN tunnels having a NATed VPN is very new to me.

Any help greatly appreciated

Parents
  • hi

    thanks for the response

    the NAT will occur in the Sophos UTM

    Hopefully this diagram will help

    The FortiGate we have no access to.

    ip addresses are fictional but similar to the actual usage

    thank you for your help

    Chris

  • Hello Chris,

    you have three sources and two destinations, how do you want to decide which net "sees" which other net(s)?

    What is your goal? Do you want to have the three nets on the left to have the source IP 10.12.21.32 /32?

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi

    thanks again for responding

    on the utm 9 any of the 3 172 networks should NAT to the 10.12.21.0/28 network and access any of the 10.53.and 10.55 on the FortiGate network.

    sorry that my knowledge is very limited on using the NAT with a VPN as this is the first time i have done NAT with a VPN

    it is my  hope this helps you help me.

    thank you

    Chris

  • Chris, I will try to explain the dilemma you are producing here in simple words:

    It seems that you want to do a 1:1 NAT (= whole networks).

    So when a packet from 10.53.40.0/22 net arrives at the "UTM 9", how shall the decision be made that it is arriving at 10.12.21.0 /28 and then NATted to 172.22.0.0 /16 OR to 172.21.0.0 /16 OR to 172.26.0.0 /16  ???? Only one of these decisions can be done like that! Same thing applies for your other net 10.55.4.0 /24. You cannot "collapse" several nets into one like that.

    If you just need to reach several hosts in those networks, that would be a totally different thing.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi

    please let me forward this to the person at the other end as he may have a better answer

  • Hello Chris,

    in terms of IPsec, you will have different SAs for different source/destination networks.

    if you have two nets on one side and three nets on the other side, you need 6 SA's, if you are doing NAT, or not.

    Otherwise you will not be able to differentiate the nets as explained above.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Chris and welcome to the UTM Community!

    it's not clear to me why you need to use NAT.  If there are no overlapping subnets, a straightforward IPsec tunnel can be built.

    If the other side only wants to see traffic from 10.20.12.32/28, you will need three SNATs like

        SNAT : {172.21.0.0/16} -> Any -> {Network Group of their subnets} : from 10.20.12.33

    In your IPsec connection, you will have only {10.20.12.32/28} in 'Local 'Networks'.

    I built this solution years ago for a supplier to Chrysler.

    Philipp, I think he'll then have only two SAs:

         10.20.12.32/28<->10.53.40.0/22
         10.20.12.32/28<->10.55.4.0/24

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi

    we now have the ability to ping thru, however the other end has tis set up such that when using the URL xxx.yyy.com the  public DNS returns the private ip address. this is ok when doing ping or traceroute however when using a browser the Sophos firewall returns the following error "no route to host".

Reply
  • Hi

    we now have the ability to ping thru, however the other end has tis set up such that when using the URL xxx.yyy.com the  public DNS returns the private ip address. this is ok when doing ping or traceroute however when using a browser the Sophos firewall returns the following error "no route to host".

Children
No Data