Skip to content

NAT with policy-based IPsec when local and remote subnets are the same

You want to configure NAT over IPsec VPN to differentiate the local and remote subnets when they overlap.

Do as follows:

  • Configure Sophos Firewall 1:

    • Add the IP hosts.
    • Add an IPsec connection.
    • Add inbound and outbound firewall rules.
  • Configure Sophos Firewall 2.

    • Add the IP hosts.
    • Add an IPsec connection.
    • Add inbound and outbound firewall rules.
  • Establish the IPsec connection.

  • Confirm the traffic flow.

All configuration details are examples based on the network in the following diagram:

Site-to-site IPsec NAT network diagram.

Sophos Firewall 1

Configure the following:

Configure IP hosts

Configure the first Sophos Firewall device to NAT traffic over the site to site connection. The following are example settings:

  1. Go to Hosts and services > IP host, select Add, and create the local LAN.

    Here's an example:

    Local LAN IP host configuration on firewall one.

  2. Go to Hosts and services > IP host, select Add, and create the local NATed LAN.

    Here's an example:

    Local translated LAN IP host configuration on firewall one.

  3. Go to Hosts and services > IP host, select Add, and create the remote NATed LAN.

    Here's an example:

    Remote translated LAN IP host configuration on firewall one.

Note

You must use the same subnet mask for the local LAN and NAT networks.

Configure an IPsec connection

The following are example settings:

  1. Go to Site-to-site VPN > IPsec.
  2. Under IPsec connections, click Add.
  3. Enter a name.
  4. Make sure Connection type is set to Site-to-site.
  5. Make sure Gateway type is set to Respond only.

    Here's an example:

    IPsec configuration on firewall one.

  6. Under Encryption, set Profile to DefaultHeadOffice.

  7. For Authentication type, select Preshared key.
  8. Enter a preshared key.
  9. Confirm the preshared key.

    Here's an example:

    Encryption settings on firewall one.

  10. For Listening interface, select Port2.

  11. For Gateway address, enter 172.20.120.15.
  12. For Local subnet, select Local_NATed_LAN.
  13. For Remote subnet, select Remote_NATed_LAN.
  14. Select Network address translation (NAT).
  15. For Original subnet, select SF1_LAN.
  16. Click Save.

    Here's an example:

    Encryption settings on firewall one.

  17. Click the status button Button to activate the connection. to activate the connection.

    Activate IPsec connection on firewall one.

Configure firewall rules

The following are example settings:

  1. Go to Rules and policies > Firewall rules and click Add firewall rule.
  2. Create two rules as follows:

    1. One rule to allow inbound traffic.

      Inbound firewall rule on firewall one.

    2. One rule to allow outbound traffic.

      Outbound firewall rule on firewall one.

    Note

    Make sure that VPN firewall rules are at the top of the firewall rule list.

Sophos Firewall 2

Configure the following:

Configure IP hosts

Configure the second Sophos Firewall to NAT traffic over the site-to-site connection. The following are example settings:

  1. Go to Hosts and services > IP host and select Add and create the local LAN.

    Local LAN IP host configuration on firewall two.

  2. Go to Hosts and services > IP host and select Add and create the local NATed LAN.

    Local translated LAN IP host configuration on firewall two.

  3. Go to Hosts and services > IP host and select Add and create the remote NATed LAN.

    Remote translated LAN IP host configuration on firewall two.

Note

You must use the same subnet mask for the local LAN and NAT networks.

Configure an IPsec connection

The following are example settings:

  1. Go to Site-to-site VPN > IPsec and select Add.
  2. Enter a name.
  3. Make sure Connection type is set to Site-to-site.
  4. Make sure Gateway type is set to Initiate the connection.

    Here's an example:

    IPsec configuration on firewall one.

  5. Under Encryption, set Profile to DefaultBranchOffice.

  6. For Authentication type, select Preshared key.
  7. Enter a preshared key and enter it again.

    Here's an example:

    Encryption settings on firewall one.

  8. For Listening interface, select Port3.

  9. For Gateway address, enter 172.20.120.10.
  10. For Local subnet, select Local_NATed_LAN.
  11. For Remote subnet, select Remote_NATed_LAN.
  12. Select Network address translation (NAT).
  13. For Original subnet, select SF2_LAN.
  14. Click Save.

    Here's an example:

    Encryption settings on firewall one.

  15. Click the status button Button to activate the connection. to activate the connection.

    Activate IPsec connection on firewall one.

Configure firewall rules

The following are example settings:

  1. Go to Rules and policies > Firewall rules and click Add firewall rule.
  2. Create two rules as follows:

    1. One rule to allow inbound traffic.

      Inbound firewall rule on firewall two.

    2. One rule to allow outbound traffic.

      Outbound firewall rule on firewall two.

    Note

    Make sure that VPN firewall rules are at the top of the firewall rule list.

Establish the IPsec connection

Once both Sophos Firewall devices at the head and branch offices are configured, you must establish the IPsec connection.

  1. Go to Site-to-site VPN > IPsec.
  2. Click the status button Button to activate connection. to activate the connection.

    Active IPsec connection.

    The connection indicator turns green when the connection is established.

    IPsec connection established.

Confirm traffic flow

  1. Generate some traffic that goes across the VPN connection.
  2. Go to Rules and policies > Firewall rules.
  3. Confirm the firewall rules created earlier are allowing traffic flow in both directions.

    Confirm firewall rules are allowing traffic.

  4. Go to Reports > VPN and confirm IPsec usage.

    IPsec report traffic.

  5. Click the connection name to show further details.

    IPsec report connection details.

Additional information

In a head and branch office configuration, the Sophos Firewall at the branch office usually acts as the tunnel initiator and the Sophos Firewall at the head office as a responder due to the following reasons:

  • When the branch office device is configured with a dynamic IP address, the head office device can't initiate the connection.
  • As the branch offices number vary, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.

The example scenario in this guide shows 1:1 NAT. Depending on the network requirements, you can configure 1:n NAT (SNAT) or full NAT.