Sophos XG Firewall: How to apply NAT over a Site-to-Site IPsec VPN connection

Purpose of the article

  • This article describes the steps to configure NAT over an IPsec VPN to differentiate between local subnets behind each Sophos XG Firewall when these local subnets are overlapped.

Network diagram and scenario

  • As the network diagram, we will configure the IPsec VPN Site-to-Site connection between Sophos Firewall 1 and Sophos Firewall 2.
  • But there is a problem if we create a connection that is both the LAN layer behind the device with the same subnet.
  • To solve this problem we will perform NAT while configuring IPsec connection settings for 2 devices.

Configuring Sophos Firewall 1

Thêm local và remote LAN

  • Go to Hosts and Services > IP Host and select Add to create the local LAN.
  • Go to Hosts and Services > IP Host and select Add to create the local NATed LAN.
  • Go to Hosts and Services > IP Host and select Add to create the remote NATed LAN.

Create an IPsec VPN connection

  • Go to VPN > IPsec Connections and select Add. Create the connection using the following parameters:
  • Click Save and the following screen will display the newly created connection above.
  • Click the red circle icon under the Active column to open the connection.

Add two firewall rules allowing VPN traffic

  • Go to Firewall and click +Add Firewall Rule. Create two user/network rules as shown below.

Configuring Sophos Firewall 2

Add local and remote LAN

  • Go to Hosts and Services > IP Host and select Add to create the local LAN.
  • Go to Hosts and Services > IP Host and select Add to create the local NATed LAN.
  • Go to Hosts and Services > IP Host and select Add to create the remote NATed LAN.

Create an IPsec VPN connection

  • Go to VPN > IPsec Connections and select Add. Create the connection using the following parameters:
  • Click Save and the following screen will display the newly created connection above.
  • Click on the red circle icon under the Active column to turn on the connection.

Add two firewall rules allowing VPN traffic

  • Go to Firewall and click +Add Firewall Rule. Create two user/network rules as shown below.

Establishing the IPsec connection

  • When both Sophos Firewall 1 and Sophos Firewall 2 devices are configured, set up an IPsec connection between them.
  • Go to VPN> IPsec Connections and click the round icon below the Status (Connection) column.
  • Then the icon will turn green and two devices have successfully connected VPN.

Results

  • Create some traffic.
  • Here we will perform ping between two machines behind the LAN layer of the two devices together.
  • The computer named PC1 behind Sophos Firewall 1 has the IP address of 172.16.16.100 after performing NAT on the VPN connection, its IP address that we use to ping will be 172.16.17.100.
  • Do ping to PC1 and get the result as shown below.
  • Similarly we have WIN-1IPUCKVKUMF computer located in the LAN layer behind Sophos Firewall 2 where IP is 172.16.16.200 after performing NAT on the VPN connection, its IP address we use to ping will be 172.16.18.200.
  • Use PC1 to ping it and get the following result.
  • Go to Firewall to verify that the VPN rules allow to import and export data.
  • Go to Report> VPN and verify IPsec usage.

Be the first to comment

Leave a Reply

Your email address will not be published.


*