Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-NAT-IPsec-same-subnets

NAT with policy-based IPsec when local and remote subnets are the same

Configure Network Address Translation (NAT) with policy-based IPsec VPN when the subnets are the same in the local and remote firewalls.

You can use 1:1 (host-to-host), 1:n (host-to-subnet), or n:n (subnet-to-subnet) NAT. To configure n:n NAT, the original and translated subnets must be of the same size.

The example scenario shows n:n NAT with a /24 subnet.

Key steps

The key steps are as follows:

  1. Configure the head office firewall:

    1. Add the IP hosts.
    2. Add an IPsec connection.
    3. Add inbound and outbound firewall rules.

  2. Configure the branch office firewall:

    1. Add the IP hosts.
    2. Add an IPsec connection.
    3. Add inbound and outbound firewall rules.

  3. Establish the IPsec connection.

  4. Confirm the traffic flow.

All configuration details are examples based on the network in the following diagram:

Site-to-site IPsec NAT network diagram.

Head office firewall

Configure the following:

Configure IP hosts

Configure the head office firewall device to NAT traffic over the site to site connection. The following are example settings:

  1. Go to Hosts and services > IP host, select Add, and create the local LAN.

    Here's an example:

    Local LAN IP host configuration on firewall one.

  2. Go to Hosts and services > IP host, select Add, and create the local NATed LAN.

    Here's an example:

    Local translated LAN IP host configuration on firewall one.

  3. Go to Hosts and services > IP host, select Add, and create the remote NATed LAN.

    Here's an example:

    Remote translated LAN IP host configuration on firewall one.

Note

You must use the same subnet mask for the local LAN and NAT networks.

Configure an IPsec connection

The following are example settings:

  1. Go to Site-to-site VPN > IPsec.
  2. Under IPsec connections, click Add.
  3. Enter a name.
  4. Make sure Connection type is set to Site-to-site.

  5. Make sure Gateway type is set to Respond only.

    Here's an example:

    IPsec configuration on firewall one.

  6. Under Encryption, set Profile to DefaultHeadOffice.

  7. For Authentication type, select Preshared key.
  8. Enter a preshared key.

  9. Confirm the preshared key.

    Here's an example:

    Encryption settings on firewall one.

  10. For Listening interface, select Port2.

  11. For Gateway address, enter 172.20.120.15.
  12. For Local subnet, select NAT_LAN_HO_192.168.1.0.
  13. For Remote subnet, select NAT_LAN_BO_192.168.3.0.
  14. Select Network address translation (NAT).
  15. For Original subnet, select HO_LAN_192.168.2.0.

  16. Click Save.

    Here's an example:

    Gateway, subnet, and NAT settings in HO.

  17. Click the status button Button to activate the connection. to activate the connection.

    Activate IPsec connection on firewall one.

Configure firewall rules

The following are example settings:

  1. Go to Rules and policies > Firewall rules and click Add firewall rule.

  2. Create two rules as follows:

    1. One rule to allow inbound traffic.

      Inbound firewall rule on firewall one.

    2. One rule to allow outbound traffic.

      Outbound firewall rule on firewall one.

    Note

    Make sure that VPN firewall rules are at the top of the firewall rule list.

Branch office firewall

Configure the following:

Configure IP hosts

Configure the second Sophos Firewall to NAT traffic over the site-to-site connection. The following are example settings:

  1. Go to Hosts and services > IP host and select Add and create the local LAN.

    Local LAN IP host configuration on firewall two.

  2. Go to Hosts and services > IP host and select Add and create the local NATed LAN.

    Local translated LAN IP host configuration on firewall two.

  3. Go to Hosts and services > IP host and select Add and create the remote NATed LAN.

    Remote translated LAN IP host configuration on firewall two.

Note

You must use the same subnet mask for the local LAN and NAT networks.

Configure an IPsec connection

The following are example settings:

  1. Go to Site-to-site VPN > IPsec and select Add.
  2. Enter a name.
  3. Make sure Connection type is set to Site-to-site.

  4. Make sure Gateway type is set to Initiate the connection.

    Here's an example:

    IPsec configuration on firewall one.

  5. Under Encryption, set Profile to DefaultBranchOffice.

  6. For Authentication type, select Preshared key.

  7. Enter a preshared key and enter it again.

    Here's an example:

    Encryption settings on firewall one.

  8. For Listening interface, select Port3.

  9. For Gateway address, enter 172.20.120.10.
  10. For Local subnet, select NAT_LAN_BO_192.168.3.0.
  11. For Remote subnet, select NAT_LAN_HO_192.168.1.0.
  12. Select Network address translation (NAT).
  13. For Original subnet, select BO_LAN_192.168.2.0.

  14. Click Save.

    Here's an example:

    Encryption settings on firewall one.

  15. Click the status button Button to activate the connection. to activate the connection.

    Activate IPsec connection on firewall one.

Configure firewall rules

The following are example settings:

  1. Go to Rules and policies > Firewall rules and click Add firewall rule.

  2. Create two rules as follows:

    1. One rule to allow inbound traffic.

      Inbound firewall rule on firewall two.

    2. One rule to allow outbound traffic.

      Outbound firewall rule on firewall two.

    Note

    Make sure that VPN firewall rules are at the top of the firewall rule list.

Establish the IPsec connection

Once both Sophos Firewall devices at the head and branch offices are configured, you must establish the IPsec connection.

  1. Go to Site-to-site VPN > IPsec.

  2. Click the status button Button to activate connection. to activate the connection.

    Active IPsec connection.

    The connection indicator turns green when the connection is established.

    IPsec connection established.

Confirm traffic flow

  1. Generate some traffic that goes across the VPN connection.
  2. Go to Rules and policies > Firewall rules.

  3. Confirm the firewall rules created earlier are allowing traffic flow in both directions.

    Confirm firewall rules are allowing traffic.

  4. Go to Reports > VPN and confirm IPsec usage.

    IPsec report traffic.

  5. Click the connection name to show further details.

    IPsec report connection details.

Check tunnel's connectivity

To make sure the traffic has end-to-end connectivity, send a ping from branch and head office endpoints to the NAT addresses you've used in the remote firewall. Do as follows:

  1. On the branch office endpoint, open the Windows command prompt.
  2. Run the following command: ping 192.168.1.2.
  3. On the head office endpoint, open the Windows command prompt.
  4. Run the following command: ping 192.168.3.2.

Additional information

In a head and branch office configuration, the branch office firewall usually acts as the tunnel initiator and the head office firewall as a responder due to the following reasons:

  • When the branch office device is configured with a dynamic IP address, the head office device can't initiate the connection.
  • As the branch offices number varies, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.