Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
883 Views 2 Replies Latest reply: Dec 11, 2012 2:19 PM by rajeevanr RSS
rajeevanr Newcomer 3 posts since
Dec 11, 2012
Currently Being Moderated

Dec 11, 2012 1:32 PM

VPN with Nat rule



we use sidewinder 7.0.103

I had to establish a vpn tunnel to one of our partners.


they wanted us to use Nated ip adresses


my internal network is  ----------- remote network is xx.xx.xx.xx

i have to use as internal range (nat) while communicating with remote (


so the VPN is between and

I also included in the local netwok part of vpn configuraion page.


I use virtual burbs to terminte the vpn connctions.


in the rule base i added one rule as follows


permit --> service (http/http/icmp) from burb (internal) souce ( nat  ---> to ---> burb (virtual)  destination ( no redirections


this rule looks good for me to permit my host to access the other end.


Now they want to us to permit their  host to our host


how will i choose the source and destination burbs and NAT?


Please help


Thanks in advance!



  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Dec 11, 2012 2:03 PM (in response to rajeevanr)
    Re: VPN with Nat rule

    Now you need to make a rule where the Source and Destination burbs are both the virtual burb.  The destination endpoint would be and the redirect IP would be  That would work to get to this one IP on the inside,

    It will not be possible to reach the entire subnet from the remote end because the firewall needs to change the destination IP of all of these packets now because you're using NAT.  If traffic from the other end of the tunnel is destined for you can now redirect this traffic (change the destination IP) to only ONE IP in the range.


    To do this correctly you need to use a range of IPs that is equal in number to the range of IPs you are NATing/redirecting from/to: =  You then make a netmap object where the Original side is and the Mapped side is  You then create another entry in this same netmap where is the Original side and is the Mapped side.  You use this netmap as the Source Endpoint in your outgoing VPN rule and use it as the Destination Endpoint in your incoming VPN rule.


    The way you have it set up right now the entire network can initiate sessions through the firewall to any IPs on the other side of the tunnel configuration.  From the other side back, though, you could only initiate sessions to six different IP addresses in the network behind the firewall.  That's because the range includes only six IP addresses, 65-70, and you can only redirect each of these IPs to ONE other IP via the firewall rules (using six rules).

    The only way to get this working for all IPs in, in both directions, is to use netmap objects and netmaps require that the two networks are equal in size.

More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points