Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 39 subscribers
  • Views 655 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN with NAT

Nathan Johnson

One of our stores has a LAN (for example) 10.11.12.0/24.  We have a third party company that we HAVE to VPN with for their system.  The third party company already has another client with the LAN 10.11.12.0/24 and they created LAN for us on their end told me to use 10.100.200.0/24 for our LAN.  I've already configured everything on my end for all of our company and all of our other stores to use 10.11.12.0/24.  To have to go back and reconfigure everything in that store and all our other VPNs between stores to use the LAN they told me to use is crazy.  I feel like I should be able to NAT 10.11.12.0/24 to 10.100.200.0/24, but I have no idea exactly how to do the config on the XG.  I tried a few things but the tunnel wouldn't connect.  Can anyone point me in the right direction?



This thread was automatically locked due to age.
  • 0

    OK, so I figured out that I had my NAT objects reversed in the VPN set up. I can now ping across the VPN (NATed) to the third party just fine.  Now on to the next issue.  This VPN is for printing jobs ONLY.  Network traffic does not initiate from us, but from them.  So, I have went in on the XG and created two objects for each of the 6 printers, one for the real LAN IP address of the printer and one NATed IP for the printer to map to.  Then I went into the firewall rules and created a Business Application Rule for one of the printers to test with.  I set the source zone to VPN and the source to the subnet of the remote side (10.100.200.0/24).  Then under Destination Host/Network I chose the NATed object I created for the printer.  Then under Forward To I set the Protected Server to the actual IP object I created for the printer and set the Zone to LAN.  I've not had a chance yet to test this out, but it seems like it should work.  Does anyone know if this will work OR the correct way to accomplish this?

  • 0 in reply to Nathan Johnson

    I have verified that the above configuration will work.  Hopefully, in me answering my own questions I have helped someone else facing this same issue.  However, I do wonder if someone else knows if there's a better way to do this?  

Unfiltered HTML