Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-NAT-IPsec-same-subnets

NAT with policy-based IPsec when local and remote subnets are the same

Configure Network Address Translation (NAT) with policy-based IPsec VPN when the subnets are the same in the local and remote firewalls.

You can use 1:1 (host-to-host), 1:n (host-to-subnet), or n:n (subnet-to-subnet) NAT. To configure n:n NAT, the original and translated subnets must be of the same size.

The example scenario shows n:n NAT with a /24 subnet.

Key steps

The key steps are as follows:

  1. Configure the head office firewall:

    1. Add the IP hosts.
    2. Add an IPsec connection.
    3. Check the firewall rules.

  2. Configure the branch office firewall:

    1. Add the IP hosts.
    2. Add an IPsec connection.
    3. Check the firewall rules.

  3. Establish the IPsec connection.

  4. Confirm the traffic flow.

All configuration details are examples based on the network in the following diagram:

Site-to-site IPsec NAT network diagram.

Head office firewall

Configure the following:

Configure IP hosts

Configure the head office firewall device to NAT traffic over the site to site connection. The following are example settings:

  1. Go to Hosts and services > IP host, select Add, and create the local LAN.

    Here's an example:

    Local LAN IP host configuration on firewall one.

  2. Go to Hosts and services > IP host, select Add, and create the local NATed LAN.

    Here's an example:

    Local translated LAN IP host configuration on firewall one.

  3. Go to Hosts and services > IP host, select Add, and create the remote NATed LAN.

    Here's an example:

    Remote translated LAN IP host configuration on firewall one.

Note

You must use the same subnet mask for the local LAN and NAT networks.

Configure an IPsec connection

The following are example settings:

  1. Go to Site-to-site VPN > IPsec.
  2. Under IPsec connections, click Add.
  3. Enter a name.
  4. Make sure Connection type is set to Policy-based.
  5. Make sure Gateway type is set to Respond only.

  6. Make sure Activate on save and Create firewall rule are selected.

    Here's an example:

    IPsec configuration on firewall one.

  7. Under Encryption, set Profile to Head office (IKEv2).

  8. For Authentication type, select Preshared key.
  9. Enter a preshared key.

  10. Confirm the preshared key.

    Here's an example:

    Encryption settings on firewall one.

  11. For Listening interface, select Port2.

  12. For Gateway address, enter 172.20.120.15.
  13. For Local subnet, select NAT_LAN_HO_192.168.1.0.
  14. For Remote subnet, select NAT_LAN_BO_192.168.3.0.
  15. Select Network address translation (NAT).
  16. For Original subnet, select HO_LAN_192.168.2.0.

  17. Click Save.

    Here's an example:

    Gateway, subnet, and NAT settings in HO.

The connection shows as active.

Active IPsec connection on firewall one.

Check the firewall rules

When you save the IPsec connection, the firewall automatically creates inbound and outbound firewall rules. They allow traffic between the head and branch offices.

To see the firewall rules, go to Rules and policies > Firewall rules and click the Automatic VPN rules rule group. You'll see two firewall rules named Incoming HO_to_BO and Outgoing HO_to_BO.

Make sure that VPN firewall rules are at the top of the firewall rule list.

HO to BO automatic firewall rule.

Note

If you already have a firewall rule to allow inbound VPN traffic, you can add the remote subnet to its Source networks and devices and the local subnet to Destination networks. You don't need to create an independent firewall rule for each IPsec connection.

Branch office firewall

Configure the following:

Configure IP hosts

Configure the second Sophos Firewall to NAT traffic over the site-to-site connection. The following are example settings:

  1. Go to Hosts and services > IP host and select Add and create the local LAN.

    Local LAN IP host configuration on firewall two.

  2. Go to Hosts and services > IP host and select Add and create the local NATed LAN.

    Local translated LAN IP host configuration on firewall two.

  3. Go to Hosts and services > IP host and select Add and create the remote NATed LAN.

    Remote translated LAN IP host configuration on firewall two.

Note

You must use the same subnet mask for the local LAN and NAT networks.

Configure an IPsec connection

The following are example settings:

  1. Go to Site-to-site VPN > IPsec and select Add.
  2. Enter a name.
  3. Make sure Connection type is set to Policy-based.
  4. Make sure Gateway type is set to Initiate the connection.

  5. Make sure Activate on save and Create firewall rule are selected.

    Here's an example:

    IPsec configuration on firewall one.

  6. Under Encryption, set Profile to Branch office (IKEv2).

  7. For Authentication type, select Preshared key.

  8. Enter a preshared key and enter it again.

    Here's an example:

    Encryption settings on firewall one.

  9. For Listening interface, select Port3.

  10. For Gateway address, enter 172.20.120.10.
  11. For Local subnet, select NAT_LAN_BO_192.168.3.0.
  12. For Remote subnet, select NAT_LAN_HO_192.168.1.0.
  13. Select Network address translation (NAT).
  14. For Original subnet, select BO_LAN_192.168.2.0.

  15. Click Save.

    Here's an example:

    Encryption settings on firewall one.

The connection shows as active.

Active IPsec connection on firewall two.

Check the firewall rules

When you save the IPsec connection, the firewall automatically creates inbound and outbound firewall rules. They allow traffic between the head and branch offices.

To see the firewall rules, go to Rules and policies > Firewall rules and click the Automatic VPN rules rule group. You'll see two firewall rules named Incoming BO_To_HO and Outgoing BO_To_HO.

Make sure that VPN firewall rules are at the top of the firewall rule list.

BO to HO automatic firewall rule.

Note

If you already have a firewall rule to allow outbound VPN traffic, you can add the local subnet to its Source networks and devices and the remote subnet to Destination networks.

Establish the IPsec connection

Once both Sophos Firewall devices at the head and branch offices are configured, you must establish the IPsec connection.

  1. Go to Site-to-site VPN > IPsec.

  2. Under Connection, click the status button Button to activate connection. to establish the connection.

    Establish IPsec connection.

    The connection indicator turns green when the connection is established.

    IPsec connection established.

Confirm traffic flow

  1. Generate some traffic that goes across the VPN connection.
  2. Go to Rules and policies > Firewall rules.

  3. Confirm the firewall rules created earlier are allowing traffic flow in both directions.

    Confirm firewall rules are allowing traffic.

  4. Go to Reports > VPN and confirm IPsec usage.

    IPsec report traffic.

  5. Click the connection name to show further details.

    IPsec report connection details.

Check tunnel's connectivity

To make sure the traffic has end-to-end connectivity, send a ping from branch and head office endpoints to the NAT addresses you've used in the remote firewall. Do as follows:

  1. On the branch office endpoint, open the Windows command prompt.
  2. Run the following command: ping 192.168.1.2.
  3. On the head office endpoint, open the Windows command prompt.
  4. Run the following command: ping 192.168.3.2.

Additional information

In a head and branch office configuration, the branch office firewall usually acts as the tunnel initiator and the head office firewall as a responder due to the following reasons:

  • When the branch office device is configured with a dynamic IP address, the head office device can't initiate the connection.
  • As the branch offices number varies, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.