This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

1:1 NAT - Overlay Network

Hello,

On my UTM (V9.705) on Interface ETH4 is the LAN 172.22.0.0/16 connected. The IP on ETH4 ist 172.22.0.254.

For some reasons, this LAN is not reachable forum our Office LAN (10.10.10.0/24). Only 10.0.0.0/8 is routed to this firewall.

My Idea was, I do a 1:1 NAT (whole Networks) on this firewall. Lets say, my overlay Net is 10.222.0.0/16.

For this I added an additional Network on

ETH4 with 10.222.0.254/16

and

1:1 NAT Rule

any, any to 10.222.0.0/16, Destination MAP, Mapped to 172.22.0.0/16

I thought this should work.

On the Firewall i can ping 172.22.50.1, but not 10.222.50.1.

Why?

Can anyone help me?

Guenter



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    As mentioned route for only 10.0.0.0/8 network is added from the Office LAN network 10.10.10.0/24.

    You'd like to access 172.22.0.0/16 network from Office LAN. To achieve this you've added 1:1 NAT and have mapped requests coming to 10.222.0.0/16 destination network to the firewall with 172.22.0.0/16(Map Destination)

    If this is the requirement then no need to add an additional network on eth4 interface.

    Please correct me if I'm wrong. Also please share a snapshot of a rough network diagram, NAT rule, and firewall rule.

  • Hello,

    yes you are right. But the 1:1 NAT Rule does not match. So the hosts with the mapped IP (10.222.0.0/16) are not reachable.

    What can I do?

    Is somewhare a fully working example?

    Guenter

Reply Children
  • Hallo Günter,

    I'm confused by your subnets.  A 10.0.0.0/8 definition is so broad that it could be causing problems.   Can you restrict that somewhat?  

    I'm also confused by the use of "Any IPv4" in your NAT rule.

    A simple diagram with subnets noted would make this situation easier to understand.

    I don't think I've ever used a 1:1 NAT with more than a /22.  Yash, can you confirm that 1:1 NATs can handle /16 subnets?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to Guenter

    Hello BAlfson, 1:1 NAT would be possible if the same subnet mask is used for 'Going to' and 'Map to' networks.


    Hi ,

    Did you remove the additional network(10.222.0.254/16) from eth4 interface?

    Request to take the packet capture by running the following command in the shell.

    utm:/root # tcpdump -nei any host 172.22.50.1 or host 10.222.50.1 and proto ICMP


    Share the session output here or in PM.

    As said by BAlfson it would be easier to understand the current requirement if you could share a rough network diagram.