Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

URGENT: NAT traffic across IPsec VPN from same Subnet

David Fox

LAN A 10.x.x.0/24
LAN B 192.168.11.0/24
LAN C 192.168.11.0/24

Currently LAN A has an IPsec VPN setup to LAN B which works fine, but now LAN C needs to be connected, but network needs to use 192.168.137.0/29 across new IPsec VPN.

I am new to Sophos, so bare with me.

LAN C has a Sophos UTM running 9.406-3 (not latest), and from what I have read I tested two sets of configuration with little success:

1. Add 'Additional Address of 192.168.137.0/29' under Interfaces ahead of maybe using Masquerading Rule but as I go to enter the new address I get "
Interface address is invalid because it is a network or broadcast address of the network '192.168.137.0/29'.

2. Add 1:1 NAT rule on LAN C UTM to NAT LAN C 192.168.11.0/24 to LAN A 10.x.x.0/24 mapped as 192.168.137.0/29 but I get "Cannot create 1:1 NAT rule with networks of different sizes."

I am sure this is something stupid, so hoping someone can get back to me asap :)



This thread was automatically locked due to age.
  • 0

    I don't think what you're planning will work.  If you're planning on connecting LAN C to the other LANs using IPSEC, it would have to be on a different net to start with, not 192.168.11.0 - it would certainly be simpler and less prone to errors in the configuration.

  • 0 in reply to Shaun Raven

    My initial thought was I need to change network from 192.168.11.0/24 to something else all together, but it seems like a big job to do for such a little requirement.

    LAN C will only ever communicate to Head Office (LAN A), but Head Office will need to connect to all other offices which is why we are in this situation. Is there not any other way to handle this? I read a little into RED ... is this an option instead?

  • 0 in reply to David Fox

    Honestly, if it was my network, I'd just bite the bullet and do it - it's going to save so many problems in the future.  You may say that you'll never need to connect LAN C to LAN B - but there's no guessing just what "the Mananagement" may come up with in the future.  Besides which, IPSEC is a very fussy protocol - it's better to keep things as simple as possible.

  • 0 in reply to Shaun Raven

    Trust me, I am almost there as far as re-configuration of local network, but let's assume we need to keep network as is ....... is there a way to make this happen?

  • 0 in reply to David Fox

    Sorry - beyond my experience I'm afraid... :(

  • 0

    You can use NAT to achieve what you want, basically what you do is the following:

    The best way would be to use a /24 network since that is also what you use locally. /29 is really small (only 8 addresses including broadcast and network address, so only 6 usable addresses). So 192.168.137.0/24 would be much easier.

    If you still must use /29, then know that you can only reach 6 IP-addresses over the tunnel. If these are also 192.168.11.1 - 192.168.11.6 then you can simply create a network definition for this (192.168.11.0/29) and then you can use 1:1 NAT using this definition, otherwise you'll need to create separate NAT rules for every IP-address that you use (so for a maximum of 6).

    On UTM LAN A

    Create a remote gateway with the 192.168.137.0/29 subnet and use that in site-2-site connection

     

    ON UTM LAN C

    Create an IPSec connection with 192.168.137.0/29 as local subnet

    Create DNAT rule(s) where you translate incoming traffic on 192.168.137.x to 192.168.11.x

    Create SNAT rule(s) where you change the source to 192.168.137.x for traffic from 192.168.11.x  going to 10.x.x.x

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to David Fox

    Hi, David, and welcome to the UTM Community!

    The approach described by apijnappels is also the subject of a KnowledgeBase article: How to tunnel between two UTMs which use the same LAN network range.  More VPN between same subnets is another thread here that also describes this approach.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML