Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
883 Views 2 Replies Latest reply: Dec 11, 2012 2:19 PM by rajeevanr RSS
rajeevanr Newcomer 3 posts since
Dec 11, 2012
Currently Being Moderated

Dec 11, 2012 1:32 PM

VPN with Nat rule

hi

 

we use sidewinder 7.0.103

I had to establish a vpn tunnel to one of our partners.

 

they wanted us to use Nated ip adresses

 

my internal network is 10.0.100.0/24  ----------- remote network is xx.xx.xx.xx

i have to use 192.168.252.64/29 as internal range (nat) while communicating with remote (192.168.252.56/29)

 

so the VPN is between 192.168.252.64/29 and 192.168.252.56/29

I also included 10.0.100.0/24 in the local netwok part of vpn configuraion page.

 

I use virtual burbs to terminte the vpn connctions.

 

in the rule base i added one rule as follows

 

permit --> service (http/http/icmp) from burb (internal) souce (10.0.100.248) nat 192.168.252.65  ---> to ---> burb (virtual)  destination (192.168.242.56/29) no redirections

 

this rule looks good for me to permit my host to access the other end.

 

Now they want to us to permit their  host to our host

 

how will i choose the source and destination burbs and NAT?

 

Please help

 

Thanks in advance!

 

Rajeev

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Dec 11, 2012 2:03 PM (in response to rajeevanr)
    Re: VPN with Nat rule

    Now you need to make a rule where the Source and Destination burbs are both the virtual burb.  The destination endpoint would be 192.168.252.65 and the redirect IP would be 10.0.100.248.  That would work to get to this one IP on the inside, 10.0.100.248.


    It will not be possible to reach the entire 10.0.100.0/24 subnet from the remote end because the firewall needs to change the destination IP of all of these packets now because you're using NAT.  If traffic from the other end of the tunnel is destined for 192.168.252.65 you can now redirect this traffic (change the destination IP) to only ONE IP in the 10.0.100.0/24 range.

     

    To do this correctly you need to use a range of IPs that is equal in number to the range of IPs you are NATing/redirecting from/to:  10.0.100.0/24 = 192.168.252.0/24.  You then make a netmap object where the Original side is 10.0.100.0/24 and the Mapped side is 192.168.252.0/24.  You then create another entry in this same netmap where 192.168.252.0/24 is the Original side and 10.0.100.0/24 is the Mapped side.  You use this netmap as the Source Endpoint in your outgoing VPN rule and use it as the Destination Endpoint in your incoming VPN rule.

     

    The way you have it set up right now the entire 10.0.100.0/24 network can initiate sessions through the firewall to any IPs on the other side of the tunnel configuration.  From the other side back, though, you could only initiate sessions to six different IP addresses in the 10.0.100.0/24 network behind the firewall.  That's because the 192.168.252.64/29 range includes only six IP addresses, 65-70, and you can only redirect each of these IPs to ONE other IP via the firewall rules (using six rules).

    The only way to get this working for all IPs in 10.0.100.0/24, in both directions, is to use netmap objects and netmaps require that the two networks are equal in size.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points