Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple nat on single ipsec tunnel

Hi,

 

Currently I am migrating from old ASA to XG and I need to mimic setup I had on ASA. With one of our partner we have IPSEC VPN tunnel with multiple NAT rules. In short:

- There are 3 internal networks on my side (192.168.x.a/24, 192.168.x.b/24, 192.168.x.c/24)

- There are 2 servers on partner side ( s1, s2 ) and one network (192.168.z.d/24)

- My network 192.168.x.a/24 should be nated to 10.x.y.z when accessing s1

- My networks 192.168.x.b/24 and 192.168.x.a/24 should be nated to 10.x.y.d when accessing s2

- Partner network 192.168.z.d/24 will access server in 192.168.x.c/24 using 10.x.y.d address on their side

So far my understanding is that nat from my side I can configure in IPASEC VPN configuration tab in network details but there is no way to specify different NAT depending on destination. So first question is how in XG I can configure different NAT depending on destination - should I configure it as firewall rule? If so what should be set as gateway for traffic to go into IPSEC tunnel.

Second topic is how to configure Business application rule to expose my server to network on other end of ipsec tunnel. What is source zone - VPN? In allowed networks I am assuming I should enter remote network?

As usual any help appreciated :)

Pawel 



This thread was automatically locked due to age.
  • HI Pawel,

    That is exactly what we have done. We have Natted the traffic then sent through the IPsec Tunnel 

    Let me show you the Output . 

    Site A Output 

     

    Note the address 10.10.10.1 is interface address so it would not show reply packet but is reflected at Site B logs . SERVER LOCATION


    12:04:11.568918 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 929, length 40
    12:04:11.569452 PortA, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 929, length 40
    12:04:11.805367 ipsec0, IN: IP 1.1.1.2 > 10.10.10.1: ICMP echo request, id 1, seq 930, length 40
    12:04:12.583749 ipsec0, IN: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 931, length 40
    12:04:12.583872 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 931, length 40
    12:04:12.584437 PortA, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 931, length 40
    12:04:12.820701 ipsec0, IN: IP 1.1.1.2 > 10.10.10.1: ICMP echo request, id 1, seq 932, length 40
    12:04:13.606044 ipsec0, IN: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 933, length 40
    12:04:13.606138 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 933, length 40
    12:04:13.606639 PortA, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 933, length 40
    12:04:13.836655 ipsec0, IN: IP 1.1.1.2 > 10.10.10.1: ICMP echo request, id 1, seq 934, length 40
    12:04:14.621657 ipsec0, IN: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 935, length 40
    12:04:14.621744 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 935, length 40
    12:04:14.622040 PortA, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 935, length 40
    12:04:14.853140 ipsec0, IN: IP 1.1.1.2 > 10.10.10.1: ICMP echo request, id 1, seq 936, length 40
    12:04:15.638373 ipsec0, IN: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 937, length 40
    12:04:15.638489 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 937, length 40
    12:04:15.638808 PortA, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 937, length 40
    12:04:15.870153 ipsec0, IN: IP 1.1.1.2 > 10.10.10.1: ICMP echo request, id 1, seq 938, length 40
    12:04:16.653958 ipsec0, IN: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 939, length 40
    12:04:16.654056 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 939, length 40
    12:04:16.654457 PortA, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 939, length 40
    12:04:16.884982 ipsec0, IN: IP 1.1.1.2 > 10.10.10.1: ICMP echo request, id 1, seq 940, length 40
    12:04:17.671060 ipsec0, IN: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 941, length 40
    12:04:17.671337 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 941, length 40
    12:04:17.671668 PortA, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 941, length 40
    12:04:17.908502 ipsec0, IN: IP 1.1.1.2 > 10.10.10.1: ICMP echo request, id 1, seq 942, length 40
    12:04:18.687515 ipsec0, IN: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 943, length 40
    12:04:18.687941 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 943, length 40
    12:04:18.688224 PortA, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 943, length 40
    12:04:18.924835 ipsec0, IN: IP 1.1.1.2 > 10.10.10.1: ICMP echo request, id 1, seq 944, length 40
    12:04:19.710247 ipsec0, IN: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 945, length 40
    12:04:19.710329 PortA, OUT: IP 1.1.1.1 > 10.10.10.129: ICMP echo request, id 1, seq 945, length 40

     

    Site A


    12:06:19.844114 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1183, length 40
    12:06:19.844265 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1183, length 40
    12:06:20.142441 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1184, length 40
    12:06:20.142834 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1184, length 40
    12:06:20.142911 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1184, length 40
    12:06:20.858205 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1185, length 40
    12:06:20.859766 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1185, length 40
    12:06:20.860123 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1185, length 40
    12:06:21.158606 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1186, length 40
    12:06:21.159045 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1186, length 40
    12:06:21.159127 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1186, length 40
    12:06:21.874341 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1187, length 40
    12:06:21.875546 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1187, length 40
    12:06:21.875646 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1187, length 40
    12:06:22.174466 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1188, length 40
    12:06:22.174822 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1188, length 40
    12:06:22.174876 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1188, length 40
    12:06:22.897580 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1189, length 40
    12:06:22.898868 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1189, length 40
    12:06:22.899155 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1189, length 40
    12:06:23.197789 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1190, length 40
    12:06:23.198290 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1190, length 40
    12:06:23.198355 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1190, length 40
    12:06:23.899804 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1191, length 40
    12:06:23.901491 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1191, length 40
    12:06:23.901809 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1191, length 40
    12:06:24.215301 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1192, length 40
    12:06:24.215797 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1192, length 40
    12:06:24.215834 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1192, length 40
    12:06:24.915857 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1193, length 40
    12:06:24.917427 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1193, length 40
    12:06:24.917534 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1193, length 40
    12:06:25.233636 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1194, length 40
    12:06:25.234109 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1194, length 40
    12:06:25.234177 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1194, length 40
    12:06:25.932976 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1195, length 40
    12:06:25.934781 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1195, length 40
    12:06:25.934873 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1195, length 40
    12:06:26.248915 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1196, length 40
    12:06:26.249448 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1196, length 40
    12:06:26.249584 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1196, length 40
    12:06:26.948690 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1197, length 40
    12:06:26.950449 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1197, length 40
    12:06:26.950546 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1197, length 40
    12:06:27.264476 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1198, length 40
    12:06:27.264866 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1198, length 40
    12:06:27.265005 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1198, length 40
    12:06:27.964499 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1199, length 40
    12:06:27.965288 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1199, length 40
    12:06:27.965374 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1199, length 40
    12:06:28.280621 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1200, length 40
    12:06:28.281239 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1200, length 40
    12:06:28.281319 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1200, length 40
    12:06:28.967219 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1201, length 40
    12:06:28.968263 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1201, length 40
    12:06:28.968344 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1201, length 40
    12:06:29.298148 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1202, length 40
    12:06:29.298758 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1202, length 40
    12:06:29.298839 PortA, OUT: IP 10.10.10.1 > 10.10.40.130: ICMP echo reply, id 1, seq 1202, length 40
    12:06:29.984202 PortA, IN: IP 10.10.40.130 > 10.10.10.129: ICMP echo request, id 1, seq 1203, length 40
    12:06:29.985294 ipsec0, IN: IP 10.10.10.129 > 1.1.1.1: ICMP echo reply, id 1, seq 1203, length 40
    12:06:29.985386 PortA, OUT: IP 10.10.10.129 > 10.10.40.130: ICMP echo reply, id 1, seq 1203, length 40
    12:06:30.316492 PortA, IN: IP 10.10.40.130 > 10.10.10.1: ICMP echo request, id 1, seq 1204, length 40
    12:06:30.316980 ipsec0, IN: IP 10.10.10.1 > 1.1.1.2: ICMP echo reply, id 1, seq 1204, length 40

     

    As you could see that it would be NAT and Then sent out through IPSEC .

     

     

     

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • It looks like I am too Cisco oriented (still) :). My understanding is following

    (10.10.40.0/24) is source network from which we initiate traffic

    then we do NAT to (1.1.1.2 or 1.1.1.1) based on firewall rule

    and then we send traffic through ipsec tunnel

    So my question is - since traffic is already natted to 1.1.1.2 or 1.1.1.1 why do I need network 10.10.40.0/24 in ipsec rule? After packet is NAT'ed traffic should be send to ipsec based on NAT address not based on original address. My problem is that other party doesn't accept network in ipsec rules (their policy)

    Pawel

  • HI Pawel, 

    why do I need network 10.10.40.0/24 in IPSEC rule? 

     

    We have added 10.10.40.0 for policy based route, It would allow the traffic through the tunnel from the source end . 

    We have an alternate configuration , since you cannot add the local network e.g.10.10.40.0/24 then remove them from the policy  here is an alternate configuration and need to add the IPsec Route Manually.

    Local Network 10.10.40.0/24 

    Communication with Site B 10.10.10.1 with Nat address 1.1.1.2

    Communication with Site B 10.10.10.129 with Nat address 1.1.1.1

    Configuration on Rules 

    Rule 1 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network (Local Network),  Destination IP SERVER_A 10.10.10.1 address , NAT policy 1.1.1.2 

    Rule 2 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network (Local Network),  Destination IP SERVER_B 10.10.10.129 address , NAT policy 1.1.1.1.

    Rule 3 VPN to LAN  ,  Source Zone VPN, Destination Zone LAN, Source Network ANY,  Destination ANY , NAT policy None.

    Configuration ON Tunnel 

    Local Subnet : 1.1.1.0/24 (NATed Network 

    Remote Subnet : 10.10.10.0/24

    in console add the IPsec Route 

    console >system  ipsec_route add net 10.10.10.0/255.255.255.0 <tunnel name>

    Result ->console> system ipsec_route show
    tunnelname host/network netmask
    Remote_Network 10.10.10.0 255.255.255.0

     

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Site B

     

    Configuration on Rules 

    Rule 1 LAN  to VPN , Source Zone LAN , Destination Zone VPN , Source Network ANY,  Destination IP ANY address , NAT policy None

    Rule 2 VPN to LAN  ,  Source Zone VPN, Destination Zone LAN, Source Network ANY,  Destination ANY , NAT policy None.

    Configuration ON Tunnel 

    Local Subnet : 10.10.10.0/24  , 

    Remote Subnet : 1.1.1.0/24 (NAT Network )

     

     

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.