This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAN traffic being routed outside

Hello

 

I have an SG210 running firmware 9.411-3.

 

I have set up a new IPSEC VPN to subnet 192.168.X.0/22 - this is a 1:1 NAT VPN on my side as the other side is already using my subnet - the fake subnet I have created is 192.168.72/23.  The other end of the VPN can ping me fine on the 192.168.72.0/23 subnet.  My real subnet is 192.168.X.0/23

 

The VPN is up OK but I cannot route data down it.  When I tracert to that subnet traffic goes down our WAN to our ISP who reports that the host is unreachable.

 


The subnet is in the routing table OK.

 

Any ideas on what I am doing wrong?

 

Many thanks



This thread was automatically locked due to age.
Parents
  • Your story is not completely clear to me, but if you have the same (or overlapping) subnet on both sides of the S2S tunnel, then you will indeed need to NAT inside the tunnel. This will most likely needed to be done on both sides of the tunnel.

    On your side you need to SNAT your internal traffic destined for the remote network(s) to the NATted subnet that's inside the tunnel. (Since you say now traffic is leaving over the internet interface, you most likely forgot (or misconfigured) the SNAT rule on your side.)

    You also need a DNAT rule for the traffic from the remote side of the tunnel (which will be arriving on your fake subnet) to be natted to your real subnet.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank-you for your reply

     

    I had attempted to restrict traffic on the NAT rule, I changed the traffic type to "ANY" on the NAT rule and restricted traffic via firewall rules intead

     

    All is now OK

Reply Children
No Data