This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

transparent/split and NAT

Hi,

 

I have a good established RED setup for a few remote sites that are under our control and all use Unified/Standard mode, and we extend our LAN address space out to those, with DHCP relayed from the main site. This works well.

However, I have a new requirement where I need to install a RED in a remote network that I don't control, with the specific purpose of getting a single URL back to our HQ via the RED, and the rest of the remote network being untouched.

Transparent/Split mode is what I need. I think!

I have the required traffic tunneling down the RED, and can see it in the firewall log. I am not doing anything clever with split DNS or anything, my URL resolves to a public IP, and that public IP is what is tunnelled.

As I'm using a public IP, I want to at the least DNAT the traffic so when it his the UTM the public IP is translated to the real webserver IP. What I notice in the logs is that the source IP of the traffic is what the PC on the RED has picked up from the remote network (192.168.1.0/24), that's fine. What I want to do is NAT the source of that traffic on the UTM to be the UTM's LAN side interface so that my real webserver. I tried this using a Full NAT, as well as a combination of both a DNAT and SNAT and I can't seem to get the source to the traffic to NAT. I need this for 2 reasons.

1. I don't want to have individual routes for remote 192168.x.0/24 networks on my corporate LAN

2. If I did want to do number 1, I can't guarantee that the remote sites (which I don't control) won't have overlapping IP ranges, and I can't touch these.

 

I have no interfaces configured on my UTM that are bound to the RED, as I am not sure I need them. I don't want any other access to the PC's at the remote site as they are not mine. Perhaps this is where I am going wrong?

I'm getting to the stage where I am going round in circles so any help would be much appreciated.

Thanks.



This thread was automatically locked due to age.
Parents
  • Hi Jon and welcome to the UTM Community!

    If I understand what you're trying to accomplish, a Full NAT should be what you want.  If that didn't work, show us the Edit of your NAT rule.

    If you have a duplicate subnet at two locations, instead of a RED, you will need a UTM with a Network Protection subscription at the duplicate location.

    My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve 10.0.0.0/8 for giant multinationals, ISPs, etc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Jon and welcome to the UTM Community!

    If I understand what you're trying to accomplish, a Full NAT should be what you want.  If that didn't work, show us the Edit of your NAT rule.

    If you have a duplicate subnet at two locations, instead of a RED, you will need a UTM with a Network Protection subscription at the duplicate location.

    My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve 10.0.0.0/8 for giant multinationals, ISPs, etc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data