Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1016 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT through IPSec Site-to-Site VPN

Pavel Hegr

Hi everyone,
I would like to ask you for help/advice. I have two sites, both running UTM 9.705-3. IPSec Site-to-Site VPN is established between Site A (Public IP - Local Subnet 192.168.2.0/24) and Site B (behind a provider's NAT - not public IP - Local Subnet 192.168.4.0/24).

Access to local resources works correctly between the sites, like RDP or SMB/FTP to a NAS.

But I cannot figure out how to set up a NAT to allow access to NAS over FTP which is located on Site B through the public IP of Site A -> NAT -> IPSec VPN -> Site B.

I tried FullNAT from the internet, service FTP, going to Public IP of the Site A -> destination to NAS (in local subnet 192.168.4.0/24), source to Internal Address of Site A gateway.
But it is dropped by the Site A firewall (Forward Default Drop):
2021:03:09-00:12:05 gtw-asgaard ulogd[28481]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="*MAC*" dstmac="*MAC*" srcip="InternetIP" dstip="192.168.4.NAS_IP" proto="6" length="60" tos="0x00" prec="0x00" ttl="57" srcport="52888" dstport="21" tcpflags="SYN"

Could you please advise how to properly set up firewall / NAT rules?
I'm not really a network expert and don't have enough experience to find the problem.
Thanks in advance.



This thread was automatically locked due to age.
  • 0

    Ahoj Pavel and welcome to the UT Community!

    fwrule="60002" means the packet has been default dropped (didn't qualify for a firewall rule) out of the FORWARD chain.

    You're correct to use Full NAT to do what you want.  Please show a picture of the Edit of the NAT rule with the objects in 'For traffic from', 'Change the destination to' and 'Change the source to' also open in Edit with 'Advanced' open.

    Also, a picture of the IPsec Connection in Site B open in Edit.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, thanks for your response.

    This is the Full NAT Rule:
    Going to: External (Public) IP of the gateway on Site A
    Change dest. to: nas.mydomain.tld (host definition on Site A pointing to IP in subnet 192.168.4.0/24 on Site B)
    Change source to: Internal IP of the gateway on Site A

    IPSec properties in Site B:

    Thanks again.

  • 0 in reply to Pavel Hegr

    Looks good, Pavel.

    We need to see the Edit of the "nas===" object with 'Advanced' open.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    problem solved. The problem was in the host definition of the NAS. I was using real FQDN, but with an internal IP address for historical reasons.



    So I created a new host definition without a DNS hostname and it works as expected.

    Thanks for the hints, stay safe and "negative" :)

Unfiltered HTML