This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Endpoint nat/masq ISP IP via IPSEC Tunnel?

Hello,

one of our customer have some wishes :-) We have an ipsec VPN to the customer - which is working normally

The customers want, that all traffic from our network through the vpn tunnel will be translated to the IP of the tunnel-ISP-Interface.

Until now the firewall of the endpoint will block all traffic, because the endpoint firewall see our local IPs from our local subnets.

Could the technical outdated Sophos UTM  translate our local LAN IPs to one IP which is our static VPN-IP of our ISP?

best regards

Michael



This thread was automatically locked due to age.
  • Hallo Michael,

    This is straightforward, but it's easier to give you the solution if you tell us what IPs are involved and especially the one they want to be the source IP in packets they receive.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Moin Bob,

    Source LAN 10.100.200.x/23 -->  [ipsec (ISP static IP 111.111.111.111) ---> ipsec (dest static IP 222.222.222.222)]   ---> Dest LAN: 10.10.123.0/24

    Host to connect: 10.10.123.234

    ipsec tunnel is working but the destination has some nsa like firewalling :-)

    The dest FW logs and blocks all packets from 10.100.200.x because the dest FW want to see only the 111.111.111.111 as source IP and NOT our IPs from the range 10.100.200.x/23.

    We tried some snat/nat rules - but the dest fw only sees IP packets from 10.100.200.x

    I saw in the documentation from other vendors, that in the ipsec tunnel configuration a nat rule can be configured, so that 10.100.200.x will be translated to 111.111.111.111

    best regards

    Michael

  • Michael, you said,

       Dest LAN: 10.10.123.0/24

       Host to connect: 10.10.123.234

    That's not possible as that creates a routing conflict.  The NATted IP from the 10.100.200.0/24 side must be outside the subnet on the 10.10.123.0/24.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA