Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple nat on single ipsec tunnel

Hi,

 

Currently I am migrating from old ASA to XG and I need to mimic setup I had on ASA. With one of our partner we have IPSEC VPN tunnel with multiple NAT rules. In short:

- There are 3 internal networks on my side (192.168.x.a/24, 192.168.x.b/24, 192.168.x.c/24)

- There are 2 servers on partner side ( s1, s2 ) and one network (192.168.z.d/24)

- My network 192.168.x.a/24 should be nated to 10.x.y.z when accessing s1

- My networks 192.168.x.b/24 and 192.168.x.a/24 should be nated to 10.x.y.d when accessing s2

- Partner network 192.168.z.d/24 will access server in 192.168.x.c/24 using 10.x.y.d address on their side

So far my understanding is that nat from my side I can configure in IPASEC VPN configuration tab in network details but there is no way to specify different NAT depending on destination. So first question is how in XG I can configure different NAT depending on destination - should I configure it as firewall rule? If so what should be set as gateway for traffic to go into IPSEC tunnel.

Second topic is how to configure Business application rule to expose my server to network on other end of ipsec tunnel. What is source zone - VPN? In allowed networks I am assuming I should enter remote network?

As usual any help appreciated :)

Pawel 



This thread was automatically locked due to age.
  • Hi Pawel,

    Select Site-to-Site in the connection type of IPSec tunnel, you will the NATed LAN box. 

    Please raise a new question for the Business Rule configuration. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Sachin,

     

    This unfortunately doesn't solve my problem/question. I did configure site-2-site VPN but in NATed LAN box I can specify only NAT rules based on source network (unless I am missing something). What i need is info how to configure NAT based on both source AND DESTINATION address and this NAT needs to be applied for traffic going into IPSEC tunnel. Are You saying that in such case I need to configure nothing in IPSEC and move whole NAT configuration to firewall rules?

     

    Thanks

    Pawel

  • Hi Pawel , 

    Let me Simulate the scenario and will give configuration as well

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • I have a similar issue but only a single local network going to 2 partner networks.

     

    -My network is 10.0.0.0/24 and should be NAT'd to 172.22.208.0/26 when accessing either partner network.

    -Partner network 1 is 172.168.99.0/24

    -Partner network 2 is xxx.xxx.204.0/23 

     

    IPsec Network Details:

    Local:

    Local Subnet: 172.22.208.0/26

    NATed LAN: 10.0.0.0/24

    Remote:

    Remote LAN Network: 192.168.99.0/24 and xxx.xxx.204.0/23

     

    When performing a packet capture for ping we saw that the outgoing interface was Port2 (WAN) rather than the ipsec tunnel. The route was configured manually via CLI to use the tunnel. Then when running a capture again, we saw the interface was ipsec0 and source was 10.0.0.20 and the destination was xxx.xxx.204.5 as seen below. Which is good. But no packets were sniffed out on the partner side. The NAT is configured the way that Sachin suggested, but how to check or verify the NAT table? Or is there separate rule that needs to be created in addition?

     

     

    14:45:41.881 Port1, IN: In aa:bb:cc:dd:ee:ff ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 22888, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.0.20 > xxx.xxx.204.5: ICMP echo request, id 1, seq 18953, length 40
    14:45:41.880 ipsec0, OUT: Out ff:ee:dd:cc:bb:aa ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 127, id 22888, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.0.20 > xxx.xxx.204.5: ICMP echo request, id 1, seq 18953, length 40

  • Hi Pawel , 

    I have Simulated the Environment you have requested . 

    In my Scenario. 

    Site A 

    Local Network 10.10.40.0/24 

    Communication with Site B 10.10.10.1 with Nat address 1.1.1.2

    Communication with Site B 10.10.10.129 with Nat address 1.1.1.1

    Configuration on Rules 

    Rule 1 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network (Local Network),  Destination IP SERVER_A 10.10.10.1 address , NAT policy 1.1.1.2 

    Rule 2 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network (Local Network),  Destination IP SERVER_B 10.10.10.129 address , NAT policy 1.1.1.1.

    Rule 3 VPN to LAN  ,  Source Zone VPN, Destination Zone LAN, Source Network ANY,  Destination ANY , NAT policy None.

    Configuration ON Tunnel 

    Local Subnet : 10.10.40.0/24  , 1.1.1.0/24 (NAT Network DUMMY to Establish SA)

    Remote Subnet : 10.10.10.0/24

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Site B

     

    Configuration on Rules 

    Rule 1 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network ANY,  Destination IP ANY address , NAT policy None

    Rule 2 VPN to LAN  ,  Source Zone VPN, Destination Zone LAN, Source Network ANY,  Destination ANY , NAT policy None.

    Configuration ON Tunnel 

    Local Subnet : 10.10.10.0/24  , 

    Remote Subnet : 10.10.40.0/24, 1.1.1.0/24 (NAT Network DUMMY  to Accept NATTED address )

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thanks,

    I will try tonight. One more thing - did You try using only NAT Network DUMMY in Tunel configuration. 

     

    Pawel

  • HI Pawel, 

    Yes The Dummy Network is used as same as NATTED address in your case 10.x.x.x/subnet

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • I did test it and it works partially. From my observation it looks like I always have to add local subnet to tunnel configuration. If I am not mistaken XG sends traffic to ipsec tunnel based on original address and only then applies firewall rules which do NAT. If this is the case - is there way to do NAT first and than after NAT send traffic through ipsec? 

  • HI contact, 

    Yes , it would first have the IPsec Routes in the route table then it would identify which route to send the traffic. Once it came onto LAN then it would pass through the VPN based on the firewall rules. If we apply the NAT , it would NAT before sending out to VPN tunnel . But In the Tunnel configuration you would need to include both NAT network and Local Network for route and accept connection on remote end that would be accomplish when the SA is established. 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Aditya,

     

    Do You know the trick to do NAT first and only than send traffic through VPN? Is there a way to create fake network, send traffic to this network using firewall rule to do NAT  and only then send taffic back to sophos to send it through ipsec tunnel? Sorry for this long thread but migrating from Cisco is little difficult as Cisco works opposite - first NAT and then ipsec.

     

    Pawel