This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT/VPN question

Hi

We have an SG210 running firmware 9.413-4.

I have a S2S VPN to a client, the client uses the same subnet as ours so I have it NAT'd on my end.  It looks like this:  

NAT Rule for traffic going from my LAN to my clients LAN:

Rule Type: 1:1 NAT (whole networks)

Matching Condition:

For traffic coming from: My LAN

Using service: Any

Going to: My clients REAL LAN

Action:

1:1 NAT mode: Map Source

Map to: My clients FAKE LAN

 

NAT Rule for traffic coming from my client's LAN to my LAN:

Rule Type: 1:1 NAT (whole networks)

Matching Condition:

For traffic from: My clients REAL LAN

Using Service: Any

Going to: My clients FAKE LAN

Action:

1:1 NAT mode: Map destination

Map to: My LAN

The VPN terminates on the fake LAN (at the client's end)

 

The VPN works fine, we can access their system fine aside from one aspect.

They run a payment gateway, when we try to load the payment gateway via browser the connection to the gateway times out.  We connect to the payment gateway via a private IP address on their real LAN (via HTTPS)

I can ping this IP address OK.  When I enter this address in the browser and monitor the firewall log, I can see that it is being passed by the NAT rule that allows traffic from my LAN to their's.  It appears no other firewall rule is used during the process, although I do have firewall rules setup so outbound traffic is allowed to their LAN (including port 443).

The client says they have allowed port 443 via their firewall.

Can anyone think of a reason my setup would cause a timeout when access an IP address on their LAN, or how I can troubleshoot this further?

Many thanks

Paul



This thread was automatically locked due to age.
Parents
  • Although your explanation seems complete, it's difficult to follow because there is no diagram with sample IPs.  That also limits the ability of others to give you an answer with a concrete example.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for you reply, I have finally got round to making a network drawing.

     

    Hope it is useful!


Reply Children
  • I'm still a bit lost because I don't see any duplicated subnet in your diagram.  Have you read How to tunnel between two UTMs which use the same LAN network range?  Unfortunately, someone removed all of the diagrams from that, so I'll try to show what's needed:

    Assume that both sides have a LAN 192.168.30.0/24.

    Create an IPsec tunnel: (you) 192.168.130.0/24 <--> 192.168.230.0/24 (them)

    In your UTM, create the following two 1-to-1 NAT rules:

    192.168.230.0/24 -> Any -> 192.168.130.0/24 : NAT to 192.168.30.0/24 : Destination
    192.168.30.0/24 -> Any -> 192.168.230.0/24 : NAT from 192.168.130.0/24 : Source

    In their device, create the corresponding 1-to-1 NAT rules: (if they have a Cisco, 1-to-1 means something different to them)

    192.168.30.0/24 -> Any -> 192.168.130.0/24 : NAT from 192.168.230.0/24 : Source
    192.168.130.0/24 -> Any -> 192.168.230.0/24 : NAT to 192.168.30.0/24 : Destination

    It's not possible to solve this problem with NATs on only one side of the VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA