Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple nat on single ipsec tunnel

Hi,

 

Currently I am migrating from old ASA to XG and I need to mimic setup I had on ASA. With one of our partner we have IPSEC VPN tunnel with multiple NAT rules. In short:

- There are 3 internal networks on my side (192.168.x.a/24, 192.168.x.b/24, 192.168.x.c/24)

- There are 2 servers on partner side ( s1, s2 ) and one network (192.168.z.d/24)

- My network 192.168.x.a/24 should be nated to 10.x.y.z when accessing s1

- My networks 192.168.x.b/24 and 192.168.x.a/24 should be nated to 10.x.y.d when accessing s2

- Partner network 192.168.z.d/24 will access server in 192.168.x.c/24 using 10.x.y.d address on their side

So far my understanding is that nat from my side I can configure in IPASEC VPN configuration tab in network details but there is no way to specify different NAT depending on destination. So first question is how in XG I can configure different NAT depending on destination - should I configure it as firewall rule? If so what should be set as gateway for traffic to go into IPSEC tunnel.

Second topic is how to configure Business application rule to expose my server to network on other end of ipsec tunnel. What is source zone - VPN? In allowed networks I am assuming I should enter remote network?

As usual any help appreciated :)

Pawel 



This thread was automatically locked due to age.
Parents
  • I have a similar issue but only a single local network going to 2 partner networks.

     

    -My network is 10.0.0.0/24 and should be NAT'd to 172.22.208.0/26 when accessing either partner network.

    -Partner network 1 is 172.168.99.0/24

    -Partner network 2 is xxx.xxx.204.0/23 

     

    IPsec Network Details:

    Local:

    Local Subnet: 172.22.208.0/26

    NATed LAN: 10.0.0.0/24

    Remote:

    Remote LAN Network: 192.168.99.0/24 and xxx.xxx.204.0/23

     

    When performing a packet capture for ping we saw that the outgoing interface was Port2 (WAN) rather than the ipsec tunnel. The route was configured manually via CLI to use the tunnel. Then when running a capture again, we saw the interface was ipsec0 and source was 10.0.0.20 and the destination was xxx.xxx.204.5 as seen below. Which is good. But no packets were sniffed out on the partner side. The NAT is configured the way that Sachin suggested, but how to check or verify the NAT table? Or is there separate rule that needs to be created in addition?

     

     

    14:45:41.881 Port1, IN: In aa:bb:cc:dd:ee:ff ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 22888, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.0.20 > xxx.xxx.204.5: ICMP echo request, id 1, seq 18953, length 40
    14:45:41.880 ipsec0, OUT: Out ff:ee:dd:cc:bb:aa ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 127, id 22888, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.0.20 > xxx.xxx.204.5: ICMP echo request, id 1, seq 18953, length 40

Reply
  • I have a similar issue but only a single local network going to 2 partner networks.

     

    -My network is 10.0.0.0/24 and should be NAT'd to 172.22.208.0/26 when accessing either partner network.

    -Partner network 1 is 172.168.99.0/24

    -Partner network 2 is xxx.xxx.204.0/23 

     

    IPsec Network Details:

    Local:

    Local Subnet: 172.22.208.0/26

    NATed LAN: 10.0.0.0/24

    Remote:

    Remote LAN Network: 192.168.99.0/24 and xxx.xxx.204.0/23

     

    When performing a packet capture for ping we saw that the outgoing interface was Port2 (WAN) rather than the ipsec tunnel. The route was configured manually via CLI to use the tunnel. Then when running a capture again, we saw the interface was ipsec0 and source was 10.0.0.20 and the destination was xxx.xxx.204.5 as seen below. Which is good. But no packets were sniffed out on the partner side. The NAT is configured the way that Sachin suggested, but how to check or verify the NAT table? Or is there separate rule that needs to be created in addition?

     

     

    14:45:41.881 Port1, IN: In aa:bb:cc:dd:ee:ff ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 22888, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.0.20 > xxx.xxx.204.5: ICMP echo request, id 1, seq 18953, length 40
    14:45:41.880 ipsec0, OUT: Out ff:ee:dd:cc:bb:aa ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 127, id 22888, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.0.20 > xxx.xxx.204.5: ICMP echo request, id 1, seq 18953, length 40

Children
No Data