Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 2104 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Source Nat via VPN Tunnel not working

Sophos User3329

Dear Helpers,
we need to use SourceNAT for our new VPN connection to a client. The VPN connection requirement sheet is attached. The VPN connection is successfully established. For some reason the SourceNAT is not working.
Our client asked us to use SourceNAT for our internal network (192.168.100.0/23) and change it to (172.16.11.0/27).
We configured the Sophos SNAT-Rule the way we interpreted the requirements, however we are not able to ping the Proxy IDs.

Instead, the Traceroute shows we are not able to reach any target behind the Sophos and the traffic is not redirected into the VPN tunnle, or we cannot reach any target through it.

Do you have any clue on how to find out where our mistake was made?

We also tried changing the Proxy ID and New SourceNetwork, we also tried changing the target destination to the jump server (public ip address) from our client, viewable on the right top of the requirement sheet.

Neither of it worked for us.

Best regards

 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    As per your description, it seems you need to configure the 1:1 NAT rule. The SNAT rule will not work for the networks.

    Please check the following KBA for more info: Sophos UTM: How to tunnel between two UTMs which use the same LAN network range.

    Thanks,

  • 0 in reply to FormerMember

    Hi H_Patel,

     

    first of all, thanks for your quick response, but the remote peer is not Sophos UTM, it's another firewall.

    We only got information for the Source NAT, if we need to set up a DNAT in addition, we don't know how.

     

    A 1:1 NAT is not suitable for our constellation according to the linked thread. If we should set up a 1:1 NAT after all, we will be blocked here by different network sizes (for a 1:1 NAT the networks must be the same size according to the Sophos error message).

    Best Regards

  • 0 in reply to Sophos User3329

    Hallo and welcome to the UTM Community!

    You don't need a DNAT since you don't have any internal subnets that overlap with theirs.

    Your SNAT must have a single IP in 172.16.11.0/27 (a Host) in the 'Change the source to:' field, not the entire /27 subnet.

    Also, based on the Cisco config, you may want 172.16.200.100/31 in the 'Going to:' field instead of /32.

    You can have multiple SNATs, each with a different, single IP in 172.16.11.0/27 if you want some of your internal traffic to leave with different IPs.

    If you're still having problems, please show pictures of the Edits of the IPsec Connection and the Remote Gateway.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Sophos User3329

    Hallo and welcome to the UTM Community!

    You don't need a DNAT since you don't have any internal subnets that overlap with theirs.

    Your SNAT must have a single IP in 172.16.11.0/27 (a Host) in the 'Change the source to:' field, not the entire /27 subnet.

    Also, based on the Cisco config, you may want 172.16.200.100/31 in the 'Going to:' field instead of /32.

    You can have multiple SNATs, each with a different, single IP in 172.16.11.0/27 if you want some of your internal traffic to leave with different IPs.

    If you're still having problems, please show pictures of the Edits of the IPsec Connection and the Remote Gateway.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Unfiltered HTML