Disclaimer: This information is posted as-is and the content should be referenced at your own risk
This Recommended Read assumes you already have a working IPsec tunnel.
Note: This RR might also help you troubleshoot connectivity issues when the IPSec tunnel is UP but there are no replies to Pings or other types of connectivity.
Applies to the following Sophos products and versionsSophos XG Firewall v18 and Sophos XG v17
When testing connectivity or due to some specific policies, we want traffic coming from the other end of the tunnel to be seen by our LAN devices as if the connection is coming from the XG itself.
By default traffic coming from the IPsec to the devices on the LAN will be seen by them with the original address used on the tunnel, which in some situations will cause some devices using Local Firewalls not to reply to this traffic as Local Firewall by security won't reply to IPs, not in the same Broadcast domain (Network range). Or in some scenarios for security reasons, you don't want your LAN to see traffic from a different subnet.
In these cases, it is an excellent idea to MASQUERADE the incoming IPsec traffic to the LAN, as if it were coming from the XG local interface.
In our scenario, we are receiving pings from 10.10.10.0/24 subnet, coming from the IPSec tunnel, destined to a computer on the LAN zone with IP 172.16.15.100
Our computer is responding because we have disabled the local Firewall of the computer, but maybe we don't want to do that or it is not an option to disable the Local Firewall.
What we can do at the XG level to resolve this is to MASQUERADE this traffic so the end device sees it as it was coming from the XG Interface where the device is connected to.
Our XG has an IP of 172.16.15.254 and the Computer 172.16.15.100, so we will configure the XG so that the traffic arriving at the Computer is MASQUERADE as 172.16.15.254.
1.- Go to your VPN to LAN Firewall rule, and scroll down to NAT & Routing
2.- Click on Rewrite source address (masquerading) and then a new option called "Use outbound address" will appear, select MASQ and click save.
Now the pings coming to the computer will look like if they are coming from the Port1 Interface IP of the XG
1. Go to Rules and policies >> NAT Rules Add NAT rule >> Enter a name >> and configure the NAT rule as follows:
Original Source = Network configured as Remote Subnets in the IPsec configuration
Original Destination = ANY
Original Service = ANY
Translated source (SNAT) = MASQ
Translated destination (DNAT) = Original
Translated service (PAT) = Original
Interface matching criteria
Inbound interface = ANY
Outbound interface = Port1
Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key
Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI
Create a source NAT rule