NAT Rule is not working

Hello Carlos,

Thank you for contacting the Sophos Community!

Maybe this KB can help you out!

Regards,

Hello! Thanks for your reply.

We were able to do it using the real IP of Sophos's interface. The thing is that we have 2 IPSec tunnels. The main one (the that worked using the real IP - OK) and the backup (NAT IP addresses - NOT OK). Is there any way that we can NAT an ip address of Sophos's interface?

Hi 
Can you do a schema so we can help you

If you want to reach a host from vpn tunnel, not from wan real IP you can use SNAT and DNS

Most devices and windows servers  don't reply to request not coming from their Gateway

Hello Carlos,

Please share a Diagram of what are you referring to.

Not sure if I am understanding this, but what do you want to NAT? My guess I am not sure is that you have Port1 with IP 10.10.10.1 and you want to send traffic from subnet 10.10.10.1/24 connected to that subnet trough the IPsec, but you want somewhat that after it leaves the Port1 and enters the IPsec0 tunnel the IP changes?

Regards,

Hello guys, thanks four your replies, I am attaching the scenario. Let me explain the situation:

We have two sites: Site A and Site B. On site A we have two interfaces who has 2 public IP addresses. On site B we only have one public IP address. The customer is requesting us to have 2 VPNs tunnels to his side using ISP 1 and ISP2. We are doing an integration with an active directory (in this case 192.168.100.100) so basically the firewall must be in the same domain as the AD. Because of that, the firewall is going to send some requests to the AD (in this case 10.10.10.1). So I have 2 IPs addresses that MUST go through both VPNs in order to work.

On the picture I drew the sceneario. So, we were able to configure and test VPN ISP 1 - PPAL using the following encription domain: 
* 10.10.10.10 - 192.168.100.100

* 10.10.10.1 - 192.168.100.100

Tests are great, life is good. The problem is when the backup VPN is tested. I cannot have the same encription domain as the principal because on the remote site I have 2 routes pointing to 10.10.10.1 and 10.10.10.10 out of the virtual interface created on the Fortinet called: VPN tunnel ISP 1. I cannot configure the same routes (10.10.10.1 and 10.10.10.10) out of the virtual interface of VPN ISP 2 - BKP because the device is going to keep one of it as active and when one of the tunnels goes down there is no automatic way to tell the fortinet "Switch it". I already tried to implement some SLA tracking on the fortinet without luck. So It comes down to the Sophos. Here is the issue

We were able to NAT the IP 10.10.10.10 (user) and test the connection on the remote site. This test was successful. Now when we tried to do the same thing on the second flow (172.16.0.1 - 192.168.100.100) it doesnt work. For some reason (I believe is just the way firewalls work) the firewall itself is not translating its IP address located in port 3. Is there any way to NAT this specific interface in order for it to become 172.16.0.1 when it tries to reach Site B through VPN ISP2 - BKP?

I hope this is less confusing. Sorry about that.

Hola Carlos and welcome to the UTM Community!

Is the UTM at A and the Fortinet at B?  Please show the Edits of the two IPsec Connections and the two Remote Gateways.

Here are two different approaches:

1. Auto-Failover IPsec VPN Connections is easier to configure.
2. Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE) is more complicated to configure, but it offers instantaneous failover.  Although the text is in German, there are tons of pictures of WebAdmin in English, so it is usable by anyone that can read English.

Cheers - Bob