Assume the user is connected to the corporate LAN through the Sophos Connect Client. The user home network range is “192.168.10.0/24” and the corporate LAN is also using “192.168.10.0/24”. So, if a user connects IPsec VPN via Sophos Connect Client when pinging any corporate LAN IP address, the request will not pass through the Sophos connect client VPN tunnel instead the request will look up the destination host in the same home network.
2. Network Diagram.
This article will guide you how to configuration to fix errors when using Sophos Connect Client when the remote user’s network conflicting with the network of the corporate LAN provided by Sophos Firewall.
To solve this problem, you will configure add another network range in Sophos Connect Client and create a DNAT rule to translate to the corporate LAN network.
Step 1: Create Host & Service
On the administrative interface of Sophos Firewall (version 19.0) > Configure > Remote Access VPN > IPsec.
Scroll down to Advanced settings > Permitted network resources (IPv4) > Add new item > Add > Network.
Create a network as shown below. Click Save.
Next you need to create a network range for host “10.1.1.0_Network” to map with the Internal Network Range.
Go to System > Host & Service > IP host > Add. You create as shown below.
Step 2: Create a DNAT rule.
Note: Keep NAT rule on top.
Navigate to Protect > Rule & Policies > Nat rule > New Nat rule. You create the rule as shown below.
By creating this rule, any user trying to access network 10.1.1.0/24 (10.1.1.10-0.1.1.200) will be redirected to (192.168.10.10-192.168.10.200).
Step 3: Create Firewall rule.
Note: Keep the firewall rule on top.
Navigate to Protect > Rule & Policies > Firewall rule > Add new firewall rule.
Now we will create a firewall rule to allow traffic when the user is accessing the network 10.1.1.0/24 (10.1.1.10-0.1.1.200) from VPN Zone > LAN Zone. You create a firewall rule as shown below.
So we have configured and added a fake network to the Sophos Connect client, when the client tries to access this fake network, the firewall when detected will perform NAT and translate to the internal network when we create the DNAT rule.