This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Request Routing through AWS VPN

I have a newly configured tunnel to an AWS VPC that's working. I can reach ECS containers and the Route53 resolver up at AWS from a machine down here on the local network. I am trying now to get DNS Request Routing working so the DNS service on the UTM can route requests to the Route53 resolver but it's not working. I don't see anything in the firewall logs about blocked traffic. I suspect I need to add another subnet to the local end of the tunnel to allow the source address the UTM's DNS server is using. Either that or do some NAT but I'm not sure. Anybody done this before? 



This thread was automatically locked due to age.
Parents
  • Hello Paul,

    It might be that the VPC is not passing the IP used for the tunnel which is 169.154.x.x

    You might need to change the source IP address, for this you would need to create a SNAT for each VPN tunnel IP. 

    Source: 169.254.x.x (your VPC tunnel ip address on your Sophos)

    Service: Any (or DNS, or ICMP, whatever you need)

    Destination: Your VPC subnet CIDR block (e.g. 192.168.1.0/24)

    Source IP address changes to: put your Internal LAN ip address in here (just the host address, create a network definition if you don't have one)

    Make sure you have put your internal network into the Amazon VPC networks section of the VPC configuration on the Sophos so AWS can route to the Sophos to get to your internal lan address on your Sophos.

    And finally, ensure your firewall rules AND your AWS ACL's and security groups aren't blocking the above source/destination/protocols

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Should the address in the first line of your response be 169.254.x.x instead of 169.154.x.x?

    Thanks much for the help.

  • The SNAT rule fixed this. I did not need to add the tunnel subnets to the routes on the AWS end but I did need to make sure "Rule applies to IPsec packets" in the SNAT's advanced options was checked.

    Thanks again. 

  • Oh, the SNAT details I used are below for the next guy.

    • Rule Type: SNAT (source)
    • For traffic from: 169.254.0.0/16
    • Using service: DNS (tcp/udp:53)
    • Going to: 10.99.0.0/16   (CIDR block for the VPC)
    • Change source to: 192.168.99.0/24 (CIDR block for the local network)
    • Rule applies to IPsec packets: checked
  • Hello Paul, 

    Thank you for the follow-up and for providing the solution!

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data