Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

URGENT: NAT traffic across IPsec VPN from same Subnet

David Fox

LAN A 10.x.x.0/24
LAN B 192.168.11.0/24
LAN C 192.168.11.0/24

Currently LAN A has an IPsec VPN setup to LAN B which works fine, but now LAN C needs to be connected, but network needs to use 192.168.137.0/29 across new IPsec VPN.

I am new to Sophos, so bare with me.

LAN C has a Sophos UTM running 9.406-3 (not latest), and from what I have read I tested two sets of configuration with little success:

1. Add 'Additional Address of 192.168.137.0/29' under Interfaces ahead of maybe using Masquerading Rule but as I go to enter the new address I get "
Interface address is invalid because it is a network or broadcast address of the network '192.168.137.0/29'.

2. Add 1:1 NAT rule on LAN C UTM to NAT LAN C 192.168.11.0/24 to LAN A 10.x.x.0/24 mapped as 192.168.137.0/29 but I get "Cannot create 1:1 NAT rule with networks of different sizes."

I am sure this is something stupid, so hoping someone can get back to me asap :)



This thread was automatically locked due to age.
Parents
  • 0

    I don't think what you're planning will work.  If you're planning on connecting LAN C to the other LANs using IPSEC, it would have to be on a different net to start with, not 192.168.11.0 - it would certainly be simpler and less prone to errors in the configuration.

  • 0 in reply to Shaun Raven

    My initial thought was I need to change network from 192.168.11.0/24 to something else all together, but it seems like a big job to do for such a little requirement.

    LAN C will only ever communicate to Head Office (LAN A), but Head Office will need to connect to all other offices which is why we are in this situation. Is there not any other way to handle this? I read a little into RED ... is this an option instead?

  • 0 in reply to David Fox

    Honestly, if it was my network, I'd just bite the bullet and do it - it's going to save so many problems in the future.  You may say that you'll never need to connect LAN C to LAN B - but there's no guessing just what "the Mananagement" may come up with in the future.  Besides which, IPSEC is a very fussy protocol - it's better to keep things as simple as possible.

Reply
  • 0 in reply to David Fox

    Honestly, if it was my network, I'd just bite the bullet and do it - it's going to save so many problems in the future.  You may say that you'll never need to connect LAN C to LAN B - but there's no guessing just what "the Mananagement" may come up with in the future.  Besides which, IPSEC is a very fussy protocol - it's better to keep things as simple as possible.

Children
Unfiltered HTML