Skip to content

NAT with route-based IPsec when local and remote subnets are the same

You can configure Network Address Translation (NAT) for route-based IPsec VPN tunnels when the subnets are the same in the local and remote firewalls.

This article shows an example configuration for tunnel interfaces with any-to-any subnets.

Site-to-site IPsec NAT network diagram.

  1. Configure the following:

    1. IPsec connection
    2. Inbound and outbound firewall rules
    3. SD-WAN route

    See Create a route-based VPN (any to any subnets).

  2. Do as follows in the head office and branch office firewalls:

    1. Configure a DNAT rule with a reflexive (SNAT) rule.
    2. Review the SNAT rule.

Head office firewall

Configure DNAT and SNAT rules in the head office firewall (Sophos Firewall 1).

Configure a DNAT rule

Add a DNAT rule to translate incoming traffic that arrives at the NAT IP range to the local subnet's IP range.

  1. Go to Rules and policies > NAT rules.
  2. Click Add NAT rule and click New NAT rule.
  3. Enter the rule name.
  4. Set Original source to the branch office NAT range object (example: 192.168.3.1 to 192.168.3.255).
  5. Set Translated source to Original.
  6. Set Original destination to the IP range object you created for the translation (example: 192.168.1.1 to 192.168.1.255).
  7. Set Translated destination to the actual local subnet object (example: 192.168.2.1 to 192.168.2.255).

    DNAT translation settings in HO firewall.

  8. Select Create reflexive rule to create a corresponding SNAT rule for outgoing traffic.

  9. For Load balancing method, select One-to-one.

    Reflexive rule and load balancing .

  10. Click Save.

Review the SNAT rule

Check the SNAT rule for outgoing traffic to translate the local subnet's IP range to the object you created for translation.

  1. Go to Rules and policies > NAT rules.
  2. Click the reflexive rule you've created.

    Example: Reflexive_NAT#_<DNAT rulename>

  3. Review the source translation settings. The example settings are as follows:

    1. Original source: 192.168.2.1 to 192.168.2.255
    2. Translated source: 192.168.1.1 to 192.168.1.255
    3. Original destination: 192.168.3.1 to 192.168.3.255
    4. Translated destination: Original

      SNAT translation settings in HO firewall.

    Outgoing traffic is translated from the subnet's actual IP range to the translated IP range.

Branch office firewall

Configure DNAT and SNAT rules in the branch office firewall (Sophos Firewall 2).

Configure a DNAT rule

Add a DNAT rule to translate incoming traffic that arrives at the NAT IP range to the local subnet's IP range.

  1. Go to Rules and policies > NAT rules.
  2. Click Add NAT rule and click New NAT rule.
  3. Enter the rule name.
  4. Set Original source to the head office NAT range object (example: 192.168.1.1 to 192.168.1.255).
  5. Set Translated source to Original.
  6. Set Original destination to the IP range object you created for the translation (example: 192.168.3.1 to 192.168.3.255).
  7. Set Translated destination to the actual local subnet object (example: 192.168.2.1 to 192.168.2.255).

    DNAT translation settings in BO firewall.

  8. Select Create reflexive rule to create a corresponding SNAT rule for outgoing traffic.

  9. For Load balancing method, select One-to-one.

    Reflexive rule and load balancing .

  10. Click Save.

Review the SNAT rule

Check the SNAT rule for outgoing traffic to translate the local subnet's IP range to the object you created for translation.

  1. Go to Rules and policies > NAT rules.
  2. Click the reflexive rule you've created.

    Example: Reflexive_NAT#_<DNAT rulename>

  3. Review the source translation settings. The example settings are as follows:

    1. Original source: 192.168.2.1 to 192.168.2.255
    2. Translated source: 192.168.3.1 to 192.168.3.255
    3. Original destination: 192.168.1.1 to 192.168.1.255
    4. Translated destination: Original

      SNAT translation settings in BO firewall.

    Outgoing traffic is translated from the subnet's actual IP range to the translated IP range.