IPSec tunnel with overlapping subnets on both sides of the tunnel

Hello,

I have a client that has a server in the 10.0.0.0/8 range which overlaps with my 10.10.247.0/28 network.

I we are trying to NAT a single IP (192.168.247.2/32) to a single IP (192.168.247.10/32) on the other end.

I have created SNAT and DNAT rules for sending/receiving packets but I am not able to send any traffic through he tunnel.

The only guides IU am seeing are for 1:1 NAT of a whole range and not a single IP

I have used Sophos UTM: Configure a tunnel between two UTMs that use the same LAN range as a baseline but instead of 1:1 NAT I have a set of SNAT/DNAT rules.

The remote end tech has only done an SNAT for their traffic so far.

The firewall on the remote end is not a Sophos. I also ma not able to see any traffic on the Firewall log for ping but a tracert does stop at the firewall and then Unreachable.

Any thoughts would be great. Thank you in advance.

Nick



Fix
[edited by: Nick Massin at 4:53 PM (GMT -7) on 28 Jul 2022]

Top Replies

Parents
  • Hi Nick and welcome to the UTM Community!

    You might also be interested in More VPN between same subnets.

    It's possible to do this with just a single IP.  Please insert pictures of the Edits of your IPsec Connection, Remote Gateway, DNAT and SNAT.  The other side must also have both a DNAT and an SNAT.

    If your client has 10.0.0.0/8 subnet defined, that should be changed.  My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.  At the very least, they should reduce that 10/8 to something much, much smaller.  A full /8 is an invitation to a disastrous surprise.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Nick and welcome to the UTM Community!

    You might also be interested in More VPN between same subnets.

    It's possible to do this with just a single IP.  Please insert pictures of the Edits of your IPsec Connection, Remote Gateway, DNAT and SNAT.  The other side must also have both a DNAT and an SNAT.

    If your client has 10.0.0.0/8 subnet defined, that should be changed.  My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.  At the very least, they should reduce that 10/8 to something much, much smaller.  A full /8 is an invitation to a disastrous surprise.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

    Thank you for the response I have seen many of your posts and I am glad you chimed in. i totally agree on the 10 range being a no no but unfortunately I can't change it as it is out of my hands.

    Here are the images you requested:

    So 192.168.246.2 is my Local NAT IP and 192.168.247.2 is the Remote NAT IP.

    What am I missing here?

    Also, do I need to have a different set of DNAT/SNAT rules for each port I want to open? They will also need to the same set of rules on thier end as well correct? 

    Many thanks in advance,

    Nick

  • Very close, Nick!

    Best practice is to not change the Service if it remains the same (see #5 in Rulz (last updated 2021-02-16)).  That let's you use single NATs and DNATs with a Services Group or just the "Any" Service.  You also have to check the 'Rule applies to IPsec packets' box in the SNAT.

    You're right that the other side also needs SNAT and DNAT.  A Full NAT won't work.

    Any better luck now?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Amazing, thank you Bob, I can now see traffic going through the tunnel and in the firewall log where I was completely blind before.

    I will be working with the vendor in about an hour to finalize the tunnel on thier end and we should be good. i am very confident those 2 changes fixed this.

    - Not translating the port and leaving that field blank and using Any or a port group

    - Enabling the "Rule applies to IPsec packets" on the SNAT 

    I was so focused on the details of the rule I didn't even notice the IPSec setting.

    I will come back and verify the answer once this is complete and add any notes I may find.

    Cheers,

    Nick

  • Thank you very much Bob! 

    this was the fix and the tunnel is up. This will come in handy for the future for sure.

    i will bookmark the links you gave me as well and that is very good resources.

    Cheers and have a great weekend!

    Nick