Sophos XG: How to source NAT incoming IPsec traffic on v18 and v17

Hello Community,

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

This Recommended Read assumes you already have a working IPsec tunnel.

Note: This RR might also help you troubleshoot connectivity issues when the IPSec tunnel is UP but there are no replies to Pings or other types of connectivity.

Applies to the following Sophos products and versions
Sophos XG Firewall v18 and Sophos XG v17

Overview

When testing connectivity or due to some specific policies, we want traffic coming from the other end of the tunnel to be seen by our LAN devices as if the connection is coming from the XG itself. 

By default traffic coming from the IPsec to the devices on the LAN will be seen by them with the original address used on the tunnel, which in some situations will cause some devices using Local Firewalls not to reply to this traffic as Local Firewall by security won't reply to IPs, not in the same Broadcast domain (Network range). Or in some scenarios for security reasons, you don't want your LAN to see traffic from a different subnet.

In these cases, it is an excellent idea to MASQUERADE the incoming IPsec traffic to the LAN, as if it were coming from the XG local interface.

What to do

In our scenario, we are receiving pings from 10.10.10.0/24 subnet, coming from the IPSec tunnel, destined to a computer on the LAN zone with IP 172.16.15.100 

  

Our computer is responding because we have disabled the local Firewall of the computer, but maybe we don't want to do that or it is not an option to disable the Local Firewall.

What we can do at the XG level to resolve this is to MASQUERADE this traffic so the end device sees it as it was coming from the XG Interface where the device is connected to. 

Our XG has an IP of 172.16.15.254 and the Computer 172.16.15.100, so we will configure the XG so that the traffic arriving at the Computer is MASQUERADE as 172.16.15.254.

Steps on V17

 1.- Go to your VPN to LAN Firewall rule, and scroll down to NAT & Routing

2.- Click on Rewrite source address (masquerading) and then a new option called "Use outbound address" will appear, select MASQ and click save.

Now the pings coming to the computer will look like if they are coming from the Port1 Interface IP of the XG

Steps on v18 (We create a SNAT rule)

1. Go to Rules and policies >> NAT Rules Add NAT rule >> Enter a name >> and configure the NAT rule as follows:

Translation settings

Original Source = Network configured as Remote Subnets in the IPsec configuration

Original Destination = ANY

Original Service = ANY 

Translated source (SNAT) = MASQ

Translated destination (DNAT) = Original

Translated service (PAT) = Original

Interface matching criteria

Inbound interface = ANY 

Outbound interface = Port1 

Related Information:

Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key

Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI

Create a source NAT rule


Regards,



Modified title
[edited by: emmosophos at 9:41 PM (GMT -8) on 20 Nov 2020]