Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 9624 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do you require SNAT or DNAT or BOTH for VPN behind NAT ?

DaveGrasso

I need to VPN to a remote site that will NOT allow Private networks.

I created a DNAT using PublicIP.238 with any/any to destination Private.10

I can successfully get to the Private.10 from any Public IP source.

Now I need to create a VPN using my UTM GW PublicIP.226 going to the Remote site using PublicIP.149

 

The VPN is configured like:  PublicIP.238 ------- PublicIP.226 ====== PublicIP.149 ------- PublicIP.39

My end PublicIP.238 is DNATing to PrivateIP.10

QUESTION:  Do I ALSO need to create a SNAT to allow traffic to flow to the Public.39 ?

 

I can see the Automatic rule is created to allow traffic from .238 to .39 and from .39 to .238

But it does not appear I can send traffic from my PrivateIP.10 to their Remote end.

 

I know it would help with screen shots, but the basic question is DNAT and SNAT required ?

 

Thanks



This thread was automatically locked due to age.
  • 0

    Hi Dave - first I've seen you here - welcome to the UTM Community!

    I can't think of why you would need NAT with a site-to-site unless the endpoint is behind a NAT - what is the topology?

    Is this an SSL or an IPsec VPN?  If IPsec, please show pics of the Edits of the IPsec Connection and Remote Gateway.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    It is an IPsec VPN and the VPN comes up fine. It basically is just four (4) public IP's to make the VPN.

    The remote end REQUIRES all Private IP's be hidden behind NAT.  My potential issue is creating the NAT's correctly.

    I can see when I initiate traffic ( FTP ) the NAT rule shows up going from my server to the correct address on the remote 2nd Public IP.

      NAT rule #28 TCP  
    10.x.xx.xx : 52327
    198.xxx.xxx.39 : 21
    		 
    [SYN] len=60 ttl=62 tos=0x00 srcmac=00:1a:8c:32:5b:39

    When I try to open FTP to the 198.x.x.x IP it shows "connecting" but never connects.  The Remote tech says he does not see any traffic in his logs.

     

    Dave

  • +1 in reply to DaveGrasso

    OK, I didn't understand your first post.  What you want is a VPN with the other side that is:

    {one of your public IPs that's not used}={IP of External (Address)} <--> {public IP of other side}={IPs/network you're supposed to reach}

    Your IPsec Connection must NOT use 'Strict routing'.  'Local Networks' in your Remote Gateway only has {one of your public IPs that's not used}.  The other side must have {one of your public IPs that's not used} as the remote network for the VPN definition.

    You need a single NAT rule:

    SNAT : Internal (Network) -> Any -> {IPs/network you're supposed to reach} : from {one of your public IPs that's not used}

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob for confirming I only need the SNAT.

    I turned off my DNAT and noticed I did not have Automatic firewall rule on the SNAT - and the FTP login is working now !!

    So to clarify for anyone else having this question:  YES, you can create a VPN using just Public IP's and NAT to your server using a Private IP.

     

    Thanks again Bob !

Unfiltered HTML