Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=s2s-ipsec-route-nat-client-initiates

Send remote network's traffic through existing IPsec tunnel to specific hosts

You can send traffic from remote subnets through the IPsec tunnel to specific hosts in the local network.

This example uses a virtual IP address to keep the IP addresses of the local hosts private. You must use NAT rules to translate the virtual IP address in the incoming traffic to the local hosts' IP addresses.

Overview

The article is based on the following example settings:

  • An IPsec connection exists between Sophos Firewall 1 and 2.

  • You want to send traffic from the remote subnet (192.168.3.0) to the local hosts (172.16.16.2 and 172.16.16.3) through a virtual IP address (10.10.10.1) behind Sophos Firewall 1.

    For example, you want users to connect securely to an application server, such as a SAP server, that is, the local host.

Network diagram

Site-to-site IPsec NAT network diagram.

Add IPsec connection and firewall rules

The settings relevant to this article are as follows:

In Sophos Firewall 1

Route-based IPsec connection

See the following example route-based VPN connection:

  1. Set Connection type to Tunnel interface.
  2. Set Gateway type to Respond only.
  3. Set Local subnet to Any.
  4. Set Remote subnets to Any.

Assign an IP address to the XFRM interface

  1. Go to Network > Interfaces.
  2. Click the vertical blue bar next to the physical interface you specified as Listening interface in the IPsec configuration.
  3. Click the XFRM interface (example: xfrm1).
  4. Enter an IP address for the interface.
  5. Click Save.

Inbound firewall rule

See the following example inbound firewall rule:

  1. Set Source zone to VPN.
  2. Set Destination zone to Any.
  3. Set Source networks and devices to 192.168.3.0.

  4. Set Destination networks and devices to the following:

    • 192.168.2.0
    • 10.10.10.1

Destination NAT rule settings.

In Sophos Firewall 2

Route-based IPsec connection

See the following example route-based VPN connection:

  1. Set Connection type to Tunnel interface.
  2. Set Gateway type to Initiate the connection
  3. Set Local subnet to Any.
  4. Set Remote subnets to Any.

Assign an IP address to the XFRM interface

  1. Go to Network > Interfaces.
  2. Click the vertical blue bar next to the physical interface you specified as Listening interface in the IPsec configuration.
  3. Click the XFRM interface (example: xfrm2).
  4. Enter an IP address for the interface.
  5. Click Save.

Outbound firewall rule

See the following example outbound firewall rule:

  1. Set Source zone to LAN.
  2. Set Destination zone to VPN.
  3. Set Source networks and devices to 192.168.3.0.

  4. Set Destination networks and devices to the following:

    • 192.168.2.0
    • 10.10.10.1

Destination NAT rule settings.

Add routes

You can configure static, SD-WAN, and dynamic routes. This example uses SD-WAN routes.

In Sophos Firewall 1

  1. Go to Routing > SD-WAN routes.
  2. Select IPv4 and click Add.
  3. Enter a name.

  4. Set Source networks to the following:

    • 192.168.2.0
    • 10.10.10.1

  5. Set Destination networks to 192.168.3.0.

Destination NAT rule settings.

  1. (Optional) Select a service, the application objects, and users and groups.
  2. Under Link selection settings, select Primary and backup gateways.
  3. Click the drop-down list for Primary gateway, click Add, and configure a gateway for the XFRM interface (example: xfrm1_gw1).

  4. (Optional) Select Route only through specified gateways.

    The firewall then drops the traffic if the tunnel isn't available.

  5. Click Save.

To allow ping requests for checking connectivity, go to Administration > Device access, and select VPN under Ping/Ping6.

In Sophos Firewall 2

You must route traffic from the remote subnet to the virtual IP address behind Sophos Firewall 1 through the IPsec tunnel.

In this example, we add an SD-WAN route.

  1. Go to Routing > SD-WAN routes.
  2. Select IPv4 and click Add.
  3. Enter a name.
  4. Set Source networks to 192.168.3.0.

  5. Set Destination networks to the following:

    • 192.168.2.0
    • 10.10.10.1

Destination NAT rule settings.

  1. (Optional) Select a service, the application objects, and users and groups.
  2. Select Primary and backup gateways.
  3. Click the drop-down list for Primary gateway, click Add, and configure a gateway for the XFRM interface (example: xfrm2_gw1).
  4. Select Route only through specified gateways.
  5. Click Save.

To allow ping requests for checking connectivity, go to Administration > Device access, and select VPN under Ping/Ping6.

Add a DNAT rule in Sophos Firewall 1

Add a DNAT (destination NAT) rule for incoming traffic to translate the virtual IP address (original destination) to the server's IP address (translated destination).

  1. Go to Rules and policies > NAT rules.
  2. Click Add NAT rule and click New NAT rule.
  3. Enter the rule name.
  4. Set Original source to the remote subnet (192.168.3.0).
  5. Set Translated source to Original.
  6. Set Original destination to the virtual IP address (10.10.10.1).

  7. Set Translated destination to the local server list object (172.16.16.2 and 172.16.16.3).

    Destination NAT rule settings.

  8. Set Load balancing method to Round-robin.

  9. Click Save.

More resources