2 Replies Latest reply: Dec 11, 2012 2:19 PM by rajeevanr RSS

    VPN with Nat rule




      we use sidewinder 7.0.103

      I had to establish a vpn tunnel to one of our partners.


      they wanted us to use Nated ip adresses


      my internal network is  ----------- remote network is xx.xx.xx.xx

      i have to use as internal range (nat) while communicating with remote (


      so the VPN is between and

      I also included in the local netwok part of vpn configuraion page.


      I use virtual burbs to terminte the vpn connctions.


      in the rule base i added one rule as follows


      permit --> service (http/http/icmp) from burb (internal) souce ( nat  ---> to ---> burb (virtual)  destination ( no redirections


      this rule looks good for me to permit my host to access the other end.


      Now they want to us to permit their  host to our host


      how will i choose the source and destination burbs and NAT?


      Please help


      Thanks in advance!



        • 1. Re: VPN with Nat rule

          Now you need to make a rule where the Source and Destination burbs are both the virtual burb.  The destination endpoint would be and the redirect IP would be  That would work to get to this one IP on the inside,

          It will not be possible to reach the entire subnet from the remote end because the firewall needs to change the destination IP of all of these packets now because you're using NAT.  If traffic from the other end of the tunnel is destined for you can now redirect this traffic (change the destination IP) to only ONE IP in the range.


          To do this correctly you need to use a range of IPs that is equal in number to the range of IPs you are NATing/redirecting from/to: =  You then make a netmap object where the Original side is and the Mapped side is  You then create another entry in this same netmap where is the Original side and is the Mapped side.  You use this netmap as the Source Endpoint in your outgoing VPN rule and use it as the Destination Endpoint in your incoming VPN rule.


          The way you have it set up right now the entire network can initiate sessions through the firewall to any IPs on the other side of the tunnel configuration.  From the other side back, though, you could only initiate sessions to six different IP addresses in the network behind the firewall.  That's because the range includes only six IP addresses, 65-70, and you can only redirect each of these IPs to ONE other IP via the firewall rules (using six rules).

          The only way to get this working for all IPs in, in both directions, is to use netmap objects and netmaps require that the two networks are equal in size.

          • 2. Re: VPN with Nat rule



            thanks for the reply.


            In the actual requirement, only one host from my side will access the other side multiple ip addresses and ports. the reverse rule is only for testing purposes as the tunnel is not coming up.


            i wrongly mentioned as i included in the local network section of VPN page. in fact i just put the host entry there as in addition to


            I will created the acl as you suggested, it is clear now.


            appart from the acl do you I do anything wrong?


            Many thanks