Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1007 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN dynamic SNAT

Alexander May

Team,

with a UTM 9, i am connecting from my private network through a DSL router, that manages the internet connection to a corporate network via SSL vpn. 

The corporate network dynamically assigns a private address to my tun1 interface. 

To access the corporate network then, i have configured a SNAT rule, changing the source to the TUN0 address.

That works, until the vpn connection gets re-established and assigns a different tun1 address.

I am wonderung, how i can manage this, is there a way to use the tun1 in the SNAT configuration?

Any other/better way?

Thanks!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    If the source and the translated destination have the same netmask, you could try to configure 1:1 NAT.

    Thanks,

  • 0 in reply to FormerMember

    Hi,

    not sure if i am getting this right....

    My current configuration is to have a SNAT roule that changes the source IP to the tun1 endpoint address (what gets dynamically assigned)

    A 1:1 NAT afaik would change any of my source addresses to any of the Map-To addresses.

    I would like to have a solution that makes the 'Change source to' address somehow dynamically following the tun1 endpoint address, that i got assigned...

    Thanks

  • FormerMember
    0 FormerMember in reply to Alexander May

    Hi ,

    Thank you for the update.

    I misunderstood your requirement, and I think you can resolve your issue if the remote SSL VPN user gets the fixed IP address whenever it re-connects.

    You could use the static IP address from the SSL VPN network and assign it to the user.

    Reference screenshot:

    Thanks,

  • 0 in reply to FormerMember

    Hi,

    thanks for your reply. I am afraid, that doesn't address my issue....

    The UTM is to connect to a remote corporate network (watchgurad).

    I have configured a SSL site2site VPN with connection type of 'client'.

    Here, i cannot mantiplate the IP assignment of my tunnel endpoint, as it gets dynamically assigned by the remote end. (the watchguard).

    I need to mitigate the manual changing of the SNAT rules. Ideally, i would like to have one SNAT rule that considers the tun1 address, that i just got assigned.

    Thanks

    Alex

  • FormerMember
    0 FormerMember in reply to Alexander May

    Hi ,

    It's not possible to auto-update the host object that you’re going to use with the SNAT. The way you described your requirements, it’s not possible to configure. 

    Thanks,

  • 0 in reply to FormerMember

    Hi,

    thank you for your response. While this cannot be configured, what would be the correct way to configure in my above scenario?

    Can the tun* object be used in a SNAT configuration?

    Any other alternative?

    Thanks, Alex

  • 0 in reply to Alexander May

    Hallo Alexander and welcome to the UTM Community!

    I don't understand.  I see your questions about the solution you imagined, but I don't see what you want to accomplish - why are you doing this?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML