Configuring NAT over a Site-to-Site IPsec VPN connection

Introduction

How to configure NAT over an IPsec VPN to differentiate between local subnets behind each Sophos Firewall device when the local subnets overlap.

The following sections are covered:

  • Configure Sophos Firewall 1.
  • Configure Sophos Firewall 2.
  • Establishing the IPsec connection.
  • Confirm traffic flow.
  • Additional information.

All configuration details are based on the network in the diagram shown below.


Site-to-site IPsec NAT network diagram

Configure Sophos Firewall 1

Configure the first Sophos Firewall device to NAT traffic over the site to site connection.

  1. Go to Hosts and services > IP host and select Add and create the local LAN.

    Local LAN IP host configuration on XG one
  2. Go to Hosts and services > IP host and select Add and create the local NATed LAN.

    Local translated LAN IP host configuration on XG one
  3. Go to Hosts and services > IP host and select Add and create the remote NATed LAN.

    Remote translated LAN IP host configuration on XG one
  4. Go to VPN > IPsec connections and select Add.
  5. Configure the IPsec connection using the parameters below:

    IPsec configuration on XG one
  6. Click Save.
  7. Click Status (Button to activate or deactivate connection) to activate the connection.

    Activate IPsec connection on XG one
  8. Go to Rules and policies > Firewall rules and click Add firewall rule.
  9. Create two rules, as shown below:

    One rule to allow inbound traffic.


    Inbound firewall rule on XG one

    One rule to allow outbound traffic.


    Outbound firewall rule on XG one
    Note Make sure that VPN firewall rules are at the top of the firewall rule list.

Configure Sophos Firewall 2

Configure the second Sophos Firewall to NAT traffic over the site to site connection.

  1. Go to Hosts and services > IP host and select Add and create the local LAN.

    Local LAN IP host configuration on XG two
  2. Go to Hosts and services > IP host and select Add and create the local NATed LAN.

    Local translated LAN IP host configuration on XG two
  3. Go to Hosts and services > IP host and select Add and create the remote NATed LAN.

    Remote translated LAN IP host configuration on XG two
  4. Go to VPN > IPsec connections and select Add.
  5. Configure the IPsec connection using the parameters below:

    IPsec configuration on XG two
  6. Click Save.
  7. Click Status (Button to activate or deactivate connection) to activate the connection.

    Activate IPsec connection on XG two
  8. Go to Rules and policies > Firewall rules and click Add firewall rule.
  9. Create two rules, as shown below:

    One rule to allow inbound traffic.


    Inbound firewall rule on XG two

    One rule to allow outbound traffic.


    Outbound firewall rule on XG two
    Note Make sure that VPN firewall rules are at the top of the firewall rule list.

Establish the IPsec connection

Once both Sophos Firewall devices at the head and branch offices are configured, you must establish the IPsec connection.

  1. Go to VPN > IPsec connections.
  2. Click Status (Button to activate or deactivate connection) to activate the connection.

    Active IPsec connection
    The connection indicator turns green when the connection is established.

    IPsec connection established

Confirm traffic flow

  1. Generate some traffic that goes across the VPN connection.
  2. Go to Rules and policies > Firewall rules.
  3. Confirm the firewall rules created earlier are allowing traffic flow in both directions.

    Confirm firewall rules are allowing traffic
  4. Go to Reports > VPN and confirm IPsec usage.

    IPsec report traffic
  5. Click on the connection name to show further details.

    IPsec report connection details

Additional information

In a head and branch office configuration, the Sophos Firewall at the branch office usually acts as the tunnel initiator and the Sophos Firewall at the head office as a responder due to the following reasons:

  • When the branch office device is configured with a dynamic IP address, the head office device cannot initiate the connection.
  • As the branch offices number vary, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.

The example scenario in this guide shows a 1:1 NAT. Depending on the network requirements, it is also possible to configure a 1:n NAT (SNAT) or a full NAT.