NAT with policy-based IPsec when local and remote subnets are the same
You want to configure NAT over IPsec VPN to differentiate the local and remote subnets when they overlap.
Do as follows:
-
Configure Sophos Firewall 1:
- Add the IP hosts.
- Add an IPsec connection.
- Add inbound and outbound firewall rules.
-
Configure Sophos Firewall 2.
- Add the IP hosts.
- Add an IPsec connection.
- Add inbound and outbound firewall rules.
-
Establish the IPsec connection.
- Confirm the traffic flow.
All configuration details are examples based on the network in the following diagram:
Sophos Firewall 1
Configure the following:
Configure IP hosts
Configure the first Sophos Firewall device to NAT traffic over the site to site connection. The following are example settings:
-
Go to Hosts and services > IP host, select Add, and create the local LAN.
Here's an example:
-
Go to Hosts and services > IP host, select Add, and create the local NATed LAN.
Here's an example:
-
Go to Hosts and services > IP host, select Add, and create the remote NATed LAN.
Here's an example:
Note
You must use the same subnet mask for the local LAN and NAT networks.
Configure an IPsec connection
The following are example settings:
- Go to Site-to-site VPN > IPsec.
- Under IPsec connections, click Add.
- Enter a name.
- Make sure Connection type is set to Site-to-site.
-
Make sure Gateway type is set to Respond only.
Here's an example:
-
Under Encryption, set Profile to DefaultHeadOffice.
- For Authentication type, select Preshared key.
- Enter a preshared key.
-
Confirm the preshared key.
Here's an example:
-
For Listening interface, select Port2.
- For Gateway address, enter
172.20.120.15
. - For Local subnet, select
Local_NATed_LAN
. - For Remote subnet, select
Remote_NATed_LAN
. - Select Network address translation (NAT).
- For Original subnet, select
SF1_LAN
. -
Click Save.
Here's an example:
-
Click the status button to activate the connection.
Configure firewall rules
The following are example settings:
- Go to Rules and policies > Firewall rules and click Add firewall rule.
-
Create two rules as follows:
Note
Make sure that VPN firewall rules are at the top of the firewall rule list.
Sophos Firewall 2
Configure the following:
Configure IP hosts
Configure the second Sophos Firewall to NAT traffic over the site-to-site connection. The following are example settings:
-
Go to Hosts and services > IP host and select Add and create the local LAN.
-
Go to Hosts and services > IP host and select Add and create the local NATed LAN.
-
Go to Hosts and services > IP host and select Add and create the remote NATed LAN.
Note
You must use the same subnet mask for the local LAN and NAT networks.
Configure an IPsec connection
The following are example settings:
- Go to Site-to-site VPN > IPsec and select Add.
- Enter a name.
- Make sure Connection type is set to Site-to-site.
-
Make sure Gateway type is set to Initiate the connection.
Here's an example:
-
Under Encryption, set Profile to DefaultBranchOffice.
- For Authentication type, select Preshared key.
-
Enter a preshared key and enter it again.
Here's an example:
-
For Listening interface, select Port3.
- For Gateway address, enter
172.20.120.10
. - For Local subnet, select
Local_NATed_LAN
. - For Remote subnet, select
Remote_NATed_LAN
. - Select Network address translation (NAT).
- For Original subnet, select
SF2_LAN
. -
Click Save.
Here's an example:
-
Click the status button to activate the connection.
Configure firewall rules
The following are example settings:
- Go to Rules and policies > Firewall rules and click Add firewall rule.
-
Create two rules as follows:
Note
Make sure that VPN firewall rules are at the top of the firewall rule list.
Establish the IPsec connection
Once both Sophos Firewall devices at the head and branch offices are configured, you must establish the IPsec connection.
- Go to Site-to-site VPN > IPsec.
-
Click the status button to activate the connection.
The connection indicator turns green when the connection is established.
Confirm traffic flow
- Generate some traffic that goes across the VPN connection.
- Go to Rules and policies > Firewall rules.
-
Confirm the firewall rules created earlier are allowing traffic flow in both directions.
-
Go to Reports > VPN and confirm IPsec usage.
-
Click the connection name to show further details.
Additional information
In a head and branch office configuration, the Sophos Firewall at the branch office usually acts as the tunnel initiator and the Sophos Firewall at the head office as a responder due to the following reasons:
- When the branch office device is configured with a dynamic IP address, the head office device can't initiate the connection.
- As the branch offices number vary, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.
The example scenario in this guide shows 1:1 NAT. Depending on the network requirements, you can configure 1:n NAT (SNAT) or full NAT.