We have an SG210 running firmware 9.413-4.
I have a S2S VPN to a client, the client uses the same subnet as ours so I have it NAT'd on my end. It looks like this:
NAT Rule for traffic going from my LAN to my clients LAN:
Rule Type: 1:1 NAT (whole networks)
For traffic coming from: My LAN
Using service: Any
Going to: My clients REAL LAN
1:1 NAT mode: Map Source
Map to: My clients FAKE LAN
NAT Rule for traffic coming from my client's LAN to my LAN:
For traffic from: My clients REAL LAN
Using Service: Any
Going to: My clients FAKE LAN
1:1 NAT mode: Map destination
Map to: My LAN
The VPN terminates on the fake LAN (at the client's end)
The VPN works fine, we can access their system fine aside from one aspect.
They run a payment gateway, when we try to load the payment gateway via browser the connection to the gateway times out. We connect to the payment gateway via a private IP address on their real LAN (via HTTPS)
I can ping this IP address OK. When I enter this address in the browser and monitor the firewall log, I can see that it is being passed by the NAT rule that allows traffic from my LAN to their's. It appears no other firewall rule is used during the process, although I do have firewall rules setup so outbound traffic is allowed to their LAN (including port 443).
The client says they have allowed port 443 via their firewall.
Can anyone think of a reason my setup would cause a timeout when access an IP address on their LAN, or how I can troubleshoot this further?
Although your explanation seems complete, it's difficult to follow because there is no diagram with sample IPs. That also limits the ability of others to give you an answer with a concrete example.
Cheers - Bob
Thanks for you reply, I have finally got round to making a network drawing.
Hope it is useful!
I'm still a bit lost because I don't see any duplicated subnet in your diagram. Have you read How to tunnel between two UTMs which use the same LAN network range? Unfortunately, someone removed all of the diagrams from that, so I'll try to show what's needed:
Assume that both sides have a LAN 192.168.30.0/24.
Create an IPsec tunnel: (you) 192.168.130.0/24 <--> 192.168.230.0/24 (them)
In your UTM, create the following two 1-to-1 NAT rules:
192.168.230.0/24 -> Any -> 192.168.130.0/24 : NAT to 192.168.30.0/24 : Destination192.168.30.0/24 -> Any -> 192.168.230.0/24 : NAT from 192.168.130.0/24 : Source
In their device, create the corresponding 1-to-1 NAT rules: (if they have a Cisco, 1-to-1 means something different to them)
192.168.30.0/24 -> Any -> 192.168.130.0/24 : NAT from 192.168.230.0/24 : Source192.168.130.0/24 -> Any -> 192.168.230.0/24 : NAT to 192.168.30.0/24 : Destination
It's not possible to solve this problem with NATs on only one side of the VPN.
Cheers - Bob