We'd love to hear about it! Click here to go to the product suggestion community
I have the joy of having a requirement from one my vendors to create an Ipsec VPN tunnel with 1 to 1 NAT. I have a little over 100 hosts that have to be NATed inside this tunnel. The configuration on the XG to do this is currently a hot mess.
Step 1 - Ensure all host objects are created. This is expected so no real complaints here. Add the any of the 105 local IP address that are missing, add the 105 NAT addresses I need.
Step 2 - Configure VPN tunnel with said objects. This is where it gets really fun. Add 105 /32 hosts into the local subnets. Caution - this is the address you want to NAT TO from your actual local addresses. This is very un-intuitive as your brain wants to assume in looking at the GUI that since you read left to right that you would read the NAT in that manner. Nope, again this is NAT address you are sending over the tunnel. I unfortunately found this out the hard way after getting all configured.. Backwards.
Step 3 - Now that you have added all of your objects into the local subnets the fun begins. The GUI is now running about as fast as Netscape Navigator circa 1999 via AOL dial up. Check the box for NAT and get what is posted above. A drop down box to choose what you want to NAT to. Great - unless you have 1500+ objects in your XG. It gets better - They are in order they were added to the XG. Not alphabetical or numerical, the order they were added. You think, no problem I'm sure it lets you search for the object I need.. To the great amusement of the developers you can not in fact do this. You have to manually scroll through all of your objects and find your object, again in order they were added to the firewall. So 1500+ objects in no particular order that can not search through. All the while every click takes 10-15 seconds thanks to the now overwhelmed GUI. Get about 20 of the NATs configured and forget to hit save? You are welcome with a nice timeout that wipes out 20-30 minutes of work. So you can only do about 5 at a time. Again though, every time you go into the VPN config its a good 5 minutes to even get control of the web page back. Good times so far.
So, has anyone else experience the joy of 1 to 1 NAT in Ipsec VPN tunnels? This has been hours of work and much well deserved profanity at this configuration design with about 50% completion to show for it.
There has to be a better way.. Open to suggestions! Perhaps the API can speed this up somehow? I guess this is a good time to finally break down and learn the XG API.
Short question, why do you not 1:1 NAT a /24?
Would be a two click scenario in XG.
Or do you have to create 105 SAs with your vendor? (/32).
In reply to LuCar Toni:
Vendor requirement to 1 to 1 NAT specific IP to specific IP.
In reply to tragikcomic:
But actually, if you use a /24 for example, it would map each IP.
So SA 192.168.1.0/24 and your network 172.16.16.0/24
It would map 192.168.1.1 to 172.16.16.1 etc.
Although a great suggestion, not practical in my application. Trust me, I tried to avoid this. I have local clients across multiple subnets that have to NAT in this way. The vendor required me to send them all my local client IP's that will be using this application. Then I received back a document with their expected NAT IP's that have to match exactly. Just as an example say if I had local IP 10.10.10.1 it HAS to NAT to 172.16.16.7, 10.5.10.24 must be 172.16.16.29.. Those are obviously made up but you get the gist of it.
I do appreciate the suggestions though!