Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple nat on single ipsec tunnel

Hi,

 

Currently I am migrating from old ASA to XG and I need to mimic setup I had on ASA. With one of our partner we have IPSEC VPN tunnel with multiple NAT rules. In short:

- There are 3 internal networks on my side (192.168.x.a/24, 192.168.x.b/24, 192.168.x.c/24)

- There are 2 servers on partner side ( s1, s2 ) and one network (192.168.z.d/24)

- My network 192.168.x.a/24 should be nated to 10.x.y.z when accessing s1

- My networks 192.168.x.b/24 and 192.168.x.a/24 should be nated to 10.x.y.d when accessing s2

- Partner network 192.168.z.d/24 will access server in 192.168.x.c/24 using 10.x.y.d address on their side

So far my understanding is that nat from my side I can configure in IPASEC VPN configuration tab in network details but there is no way to specify different NAT depending on destination. So first question is how in XG I can configure different NAT depending on destination - should I configure it as firewall rule? If so what should be set as gateway for traffic to go into IPSEC tunnel.

Second topic is how to configure Business application rule to expose my server to network on other end of ipsec tunnel. What is source zone - VPN? In allowed networks I am assuming I should enter remote network?

As usual any help appreciated :)

Pawel 



This thread was automatically locked due to age.
Parents
  • Hi Pawel , 

    I have Simulated the Environment you have requested . 

    In my Scenario. 

    Site A 

    Local Network 10.10.40.0/24 

    Communication with Site B 10.10.10.1 with Nat address 1.1.1.2

    Communication with Site B 10.10.10.129 with Nat address 1.1.1.1

    Configuration on Rules 

    Rule 1 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network (Local Network),  Destination IP SERVER_A 10.10.10.1 address , NAT policy 1.1.1.2 

    Rule 2 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network (Local Network),  Destination IP SERVER_B 10.10.10.129 address , NAT policy 1.1.1.1.

    Rule 3 VPN to LAN  ,  Source Zone VPN, Destination Zone LAN, Source Network ANY,  Destination ANY , NAT policy None.

    Configuration ON Tunnel 

    Local Subnet : 10.10.40.0/24  , 1.1.1.0/24 (NAT Network DUMMY to Establish SA)

    Remote Subnet : 10.10.10.0/24

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Site B

     

    Configuration on Rules 

    Rule 1 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network ANY,  Destination IP ANY address , NAT policy None

    Rule 2 VPN to LAN  ,  Source Zone VPN, Destination Zone LAN, Source Network ANY,  Destination ANY , NAT policy None.

    Configuration ON Tunnel 

    Local Subnet : 10.10.10.0/24  , 

    Remote Subnet : 10.10.40.0/24, 1.1.1.0/24 (NAT Network DUMMY  to Accept NATTED address )

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thanks,

    I will try tonight. One more thing - did You try using only NAT Network DUMMY in Tunel configuration. 

     

    Pawel

  • HI Pawel, 

    Yes The Dummy Network is used as same as NATTED address in your case 10.x.x.x/subnet

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply Children
No Data