This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue DNAT'ing/Port Forwarding across IPSec VPN tunnel

Hello,

Running into an issue DNAT'ing/Port Forwarding traffic to reach a server across an IPsec VPN. The web sever is 192.168.14.250 in site A but needs to be DNAT'ed/Port Forwarded to the WAN interface of site B.

Site A                                                                                      Site B
Sophos UTM 9.7                                                                       Sophos UTM 9.7
WAN 1.1.1.1                                                                            WAN 2.2.2.2
LAN 192.168.14.0/24           <IPSec VPN established>                LAN 172.16.24.0/24
Web Server: 192.168.14.250 Ports 80, 443

Any help would be greatly appreciated! I've been working on this for a few days without success.

Thank you!



This thread was automatically locked due to age.
  • Hi Pablo and welcome to the UTM Community!

    You need a Full NAT instead of a DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
    • Hi Bob,

       

      Thanks for the reply! I have tried a full NAT with the following settings without success:

       

      Rule Type: Full NAT

       

      Matching condition:

      For traffic from: Any

      Using service: HTTP

      Going to: WAN Address (Site B 2.2.2.2)

       

      Action:

       

      Change destination to: 192.168.14.250 (Web Server site A)

      And the service to: HTTP

       

      Change the source to: 172.16.24.254 <<< Firewall inside IP for site B, is this correct?

      And the service to: HTTP

       

      Automatic firewall rules: Ticked

       

      What am I missing? If I log initial packets, I see the traffic traverse in the Firewall log but the http request from outside just times out.

       

      Any help greatly is appreciated!

       

      Thank you

       

      • Please show a picture of the Edit of the NAT rule.

        Cheers - Bob

         
        Sophos UTM Community Moderator
        Sophos Certified Architect - UTM
        Sophos Certified Engineer - XG
        Gold Solution Partner since 2005
        MediaSoft, Inc. USA
        • Hi Bob,

          Please see the attached image.

          Thank you

          • That looks good, Pablo.  The source should be changed to the IP of "Internal (Address)" - is that what you have?  You don't need to change the service - just leave that blank.  See #5 in Rulz (last updated 2019-04-17).

            If this isn't working, please show pics of the Edits of the IPsec Connection and Remote Gateway.

            Cheers - Bob

             
            Sophos UTM Community Moderator
            Sophos Certified Architect - UTM
            Sophos Certified Engineer - XG
            Gold Solution Partner since 2005
            MediaSoft, Inc. USA
            • Hi Bob,

               

              I left the services blank per your suggestion and changed the source to the internal LAN IP object (same IP as before, just a different object name). No luck.

               

               

              Site B IPSec Screenshots:

               

              Site A Screenshots:

               

               

               

              The VPN tunnel is up, I can ping bidirectionally from each site:

               

               

              Thank you

              • That all looks perfect, Pablo.  Do you see any related blocks in the Firewall log?

                Cheers - Bob

                 
                Sophos UTM Community Moderator
                Sophos Certified Architect - UTM
                Sophos Certified Engineer - XG
                Gold Solution Partner since 2005
                MediaSoft, Inc. USA