I have an MPLS link over which i am trying to build a Site to Site VPN
Ip Of my MPLS Interface is 172.16.10.1 (this interfce zone is MPLS)
I have Internal IP range in 192.168.10.0/24
I have to NAT 192.168.10.0 behind 172.16.30.1/32 IP
I have done the following conifguration on the firewall
1.Enabled ISAKMP Server from MPLS Zone to MPLS from Any to Any
2.Created a New Virtual Zone called VPN
3.Configured VPN under VPN Definition and selected the Zone as VPN
My Gateway is 172.16.10.1 Peer Gateway is 172.16.10.2
4.Created the Policy from Internal to VPN Zone for permitting traffic from 192.168.10.0/24 to Destination Range 10.10.1.0/24
In the policy ,selected the NAT IP as 172.16.30.1/32
However I do not see any activity related to tunnel initiation in the Firewall
Would like to confirm if the steps are correct especially on the Zone configuration
Also Do I have to add routing for 10.10.1.0/24 ?If yes what is the Next Hop IP i should give
Can someone help me ?
The one thing I noticed is you MUST add 172.16.30.1/32 to the Local Network of your VPN definition. You need to add your 'real' address range and the 'fake' one you are NATing to. The 'fake' network must reside on the other side of the tunnel also (since you will appear to be coming from this 30.1 address).
As you have it set up right now only this one IP can go through the tunnel (the 172.16.30.1 IP). Later on you could add a Netmap object to NAT the 172.16.30.0/24 subnet to your 192.168.10.0/24 network.
I will add it
But Even if I dont add,i should receive some logs rt?I am not receiving anything.
I am not NATing in the Net MAP and Nat segment was provided by my peer and is a /27 segemnt and my internal segment is a /24
to add NAt in Netmap,the subnet mask should be same
and Would like to know If I have to add any Routing for the destination .Please let m know
Perhaps the traffic is not hitting the firewall. Do not test with ping; test with telnet.
You do not have to add any routing.
You should call into Support if you need to do troubleshooting with audits and tcpdumps.