2 Replies Latest reply: Dec 11, 2012 2:19 PM by rajeevanr RSS

    VPN with Nat rule

    rajeevanr

      hi

       

      we use sidewinder 7.0.103

      I had to establish a vpn tunnel to one of our partners.

       

      they wanted us to use Nated ip adresses

       

      my internal network is 10.0.100.0/24  ----------- remote network is xx.xx.xx.xx

      i have to use 192.168.252.64/29 as internal range (nat) while communicating with remote (192.168.252.56/29)

       

      so the VPN is between 192.168.252.64/29 and 192.168.252.56/29

      I also included 10.0.100.0/24 in the local netwok part of vpn configuraion page.

       

      I use virtual burbs to terminte the vpn connctions.

       

      in the rule base i added one rule as follows

       

      permit --> service (http/http/icmp) from burb (internal) souce (10.0.100.248) nat 192.168.252.65  ---> to ---> burb (virtual)  destination (192.168.242.56/29) no redirections

       

      this rule looks good for me to permit my host to access the other end.

       

      Now they want to us to permit their  host to our host

       

      how will i choose the source and destination burbs and NAT?

       

      Please help

       

      Thanks in advance!

       

      Rajeev

        • 1. Re: VPN with Nat rule
          sliedl

          Now you need to make a rule where the Source and Destination burbs are both the virtual burb.  The destination endpoint would be 192.168.252.65 and the redirect IP would be 10.0.100.248.  That would work to get to this one IP on the inside, 10.0.100.248.


          It will not be possible to reach the entire 10.0.100.0/24 subnet from the remote end because the firewall needs to change the destination IP of all of these packets now because you're using NAT.  If traffic from the other end of the tunnel is destined for 192.168.252.65 you can now redirect this traffic (change the destination IP) to only ONE IP in the 10.0.100.0/24 range.

           

          To do this correctly you need to use a range of IPs that is equal in number to the range of IPs you are NATing/redirecting from/to:  10.0.100.0/24 = 192.168.252.0/24.  You then make a netmap object where the Original side is 10.0.100.0/24 and the Mapped side is 192.168.252.0/24.  You then create another entry in this same netmap where 192.168.252.0/24 is the Original side and 10.0.100.0/24 is the Mapped side.  You use this netmap as the Source Endpoint in your outgoing VPN rule and use it as the Destination Endpoint in your incoming VPN rule.

           

          The way you have it set up right now the entire 10.0.100.0/24 network can initiate sessions through the firewall to any IPs on the other side of the tunnel configuration.  From the other side back, though, you could only initiate sessions to six different IP addresses in the 10.0.100.0/24 network behind the firewall.  That's because the 192.168.252.64/29 range includes only six IP addresses, 65-70, and you can only redirect each of these IPs to ONE other IP via the firewall rules (using six rules).

          The only way to get this working for all IPs in 10.0.100.0/24, in both directions, is to use netmap objects and netmaps require that the two networks are equal in size.

          • 2. Re: VPN with Nat rule
            rajeevanr

            hi

             

            thanks for the reply.

             

            In the actual requirement, only one host from my side will access the other side multiple ip addresses and ports. the reverse rule is only for testing purposes as the tunnel is not coming up.

             

            i wrongly mentioned as i included 10.0.100.0/24 in the local network section of VPN page. in fact i just put the host entry there as 10.0.100.248/32 in addition to 192.168.252.64/29

             

            I will created the acl as you suggested, it is clear now.

             

            appart from the acl do you I do anything wrong?

             

            Many thanks