cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Site to Site VPN and Routing for the vpn destinations

I have an MPLS link over which i am trying to build a Site to Site VPN

Ip Of my MPLS Interface is 172.16.10.1 (this interfce zone is MPLS)

I have Internal IP range in 192.168.10.0/24

I have to NAT 192.168.10.0 behind 172.16.30.1/32 IP

I have done the following conifguration on the firewall

1.Enabled ISAKMP Server from MPLS Zone to MPLS from Any to Any

2.Created a New Virtual Zone called VPN

3.Configured VPN under VPN Definition and selected the Zone as VPN

  My Gateway is 172.16.10.1  Peer Gateway is 172.16.10.2

4.Created the Policy from Internal to VPN Zone for permitting traffic from 192.168.10.0/24 to Destination Range 10.10.1.0/24

  In the policy ,selected the NAT IP as 172.16.30.1/32

However I do not see any activity related to tunnel initiation in the Firewall

Would like to confirm if the steps are correct  especially on the Zone configuration

Also  Do I have to add  routing for 10.10.1.0/24 ?If yes what is the Next Hop IP i should give

Can someone help me ?

4 Replies
Highlighted
Level 14
Report Inappropriate Content
Message 2 of 5

Re: Site to Site VPN and Routing for the vpn destinations

Please call into Support so we can do troubleshooting to determine what the issue is here.

Highlighted
Level 14
Report Inappropriate Content
Message 3 of 5

Re: Site to Site VPN and Routing for the vpn destinations

The one thing I noticed is you MUST add 172.16.30.1/32 to the Local Network of your VPN definition.  You need to add your 'real' address range and the 'fake' one you are NATing to.  The 'fake' network must reside on the other side of the tunnel also (since you will appear to be coming from this 30.1 address).

As you have it set up right now only this one IP can go through the tunnel (the 172.16.30.1 IP).  Later on you could add a Netmap object to NAT the 172.16.30.0/24 subnet to your 192.168.10.0/24 network.

Highlighted

Re: Site to Site VPN and Routing for the vpn destinations

I will add it

But Even if I dont add,i should receive some logs rt?I am not receiving anything.

I am not NATing in the Net MAP and Nat segment was provided by my peer and is a /27 segemnt and my internal segment is a /24
to add NAt in Netmap,the subnet mask should be same

and Would like to know If I have to add any Routing for the destination .Please let m know

Highlighted
Level 14
Report Inappropriate Content
Message 5 of 5

Re: Site to Site VPN and Routing for the vpn destinations

Perhaps the traffic is not hitting the firewall.  Do not test with ping; test with telnet.

You do not have to add any routing.

You should call into Support if you need to do troubleshooting with audits and tcpdumps.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community