NAT with route-based IPsec when local and remote subnets are the same
You can configure Network Address Translation (NAT) for route-based IPsec VPN tunnels when the subnets are the same in the local and remote firewalls.
This article shows an example configuration for tunnel interfaces with any-to-any subnets.
-
Configure the following:
- IPsec connection
- Inbound and outbound firewall rules
- SD-WAN route
-
Do as follows in the head office and branch office firewalls:
- Configure a DNAT rule with a reflexive (SNAT) rule.
- Review the SNAT rule.
Head office firewall
Configure DNAT and SNAT rules in the head office firewall (Sophos Firewall 1).
Configure a DNAT rule
Add a DNAT rule to translate incoming traffic that arrives at the NAT IP range to the local subnet's IP range.
- Go to Rules and policies > NAT rules.
- Click Add NAT rule and click New NAT rule.
- Enter the rule name.
- Set Original source to the branch office NAT range object (example:
192.168.3.1 to 192.168.3.255
). - Set Translated source to Original.
- Set Original destination to the IP range object you created for the translation (example:
192.168.1.1 to 192.168.1.255
). -
Set Translated destination to the actual local subnet object (example:
192.168.2.1 to 192.168.2.255
). -
Select Create reflexive rule to create a corresponding SNAT rule for outgoing traffic.
-
For Load balancing method, select One-to-one.
-
Click Save.
Review the SNAT rule
Check the SNAT rule for outgoing traffic to translate the local subnet's IP range to the object you created for translation.
- Go to Rules and policies > NAT rules.
-
Click the reflexive rule you've created.
Example:
Reflexive_NAT#_<DNAT rulename>
-
Review the source translation settings. The example settings are as follows:
- Original source:
192.168.2.1 to 192.168.2.255
- Translated source:
192.168.1.1 to 192.168.1.255
- Original destination:
192.168.3.1 to 192.168.3.255
-
Translated destination: Original
Outgoing traffic is translated from the subnet's actual IP range to the translated IP range.
- Original source:
Branch office firewall
Configure DNAT and SNAT rules in the branch office firewall (Sophos Firewall 2).
Configure a DNAT rule
Add a DNAT rule to translate incoming traffic that arrives at the NAT IP range to the local subnet's IP range.
- Go to Rules and policies > NAT rules.
- Click Add NAT rule and click New NAT rule.
- Enter the rule name.
- Set Original source to the head office NAT range object (example:
192.168.1.1 to 192.168.1.255
). - Set Translated source to Original.
- Set Original destination to the IP range object you created for the translation (example:
192.168.3.1 to 192.168.3.255
). -
Set Translated destination to the actual local subnet object (example:
192.168.2.1 to 192.168.2.255
). -
Select Create reflexive rule to create a corresponding SNAT rule for outgoing traffic.
-
For Load balancing method, select One-to-one.
-
Click Save.
Review the SNAT rule
Check the SNAT rule for outgoing traffic to translate the local subnet's IP range to the object you created for translation.
- Go to Rules and policies > NAT rules.
-
Click the reflexive rule you've created.
Example:
Reflexive_NAT#_<DNAT rulename>
-
Review the source translation settings. The example settings are as follows:
- Original source:
192.168.2.1 to 192.168.2.255
- Translated source:
192.168.3.1 to 192.168.3.255
- Original destination:
192.168.1.1 to 192.168.1.255
-
Translated destination: Original
Outgoing traffic is translated from the subnet's actual IP range to the translated IP range.
- Original source: