VPN site to site IPSEC con IP dedicato NAT Phase2

Mattia_Tecnosoft_Srl
edited May 2021 in Security

Goodmorning everyone,

I need help, I'm setting up a site to site VPN, for a connection between my company and another company not managed by me.

In Phase 2 they reserved me a dedicated NAT IP 172.31.167.7/32 my network is a 10.0.1.0/24. Can you explain to me how I can set the parameters to perform this NAT in a Site to Site IPSEC VPN?

Thank you

ITA
Buongiorno a tutti,
ho bisogno di un aiuto, sto configurando una VPN site to site, per un collegamento tra una mia azienda ed un'altra azienda non gestita da me.
In Phase 2 mi hanno riservato un IP di NAT dedicato 172.31.167.7/32 la mia rete è una 10.0.1.0/24. Mi potete spiegare come posso impostare i parametri per eseguire questo NAT in una VPN Site to Site IPSEC?
Grazie

Best Answers

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Answer ✓
    @Mattia_Tecnosoft_Srl

    Customer network IP is 10.0.1.0/24, and the NAT(Fake) IP 172.31.167.7/32.
    the subnet mask on customer network and NAT IP need to be the same .(since it’s One IP mapping to one IP)

    Therefore, the NAT IP: 172.31.167.7/32(need to modify to slash 24)
    As your scenario, you can reference this thread

    https://businessforum.zyxel.com/discussion/509/how-can-the-inbound-destination-nat-be-used-to-hide-the-server-s-real-ip-via-a-vpn-tunnel

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @Mattia_Tecnosoft_Srl,
    Here the configuration steps,
    1. Create address objects
    (1)Create address object of your local network 10.0.1.0/24
    ex. object name: LOCAL_NETWORK, type: SUBNET, network: 10.0.1.0/24, netmask: 255.255.255.0
    (2)Create address object of remote network 10.96.0.0/11
    ex. object name: REMOTE_NETWORK, type: SUBNET, network: 10.96.0.0, netmask: 255.224.0.0
    (3)Create address object of VPN traffic source NAT IP
    ex. object name: LOCAL_SNAT_IP, type: HOST, IP address: 172.31.167.7
     
    2.Setup IPSec phase 2
    Assume you know hot to setup a VPN connection rule (phase2) on USG20-VPN.
    Here just highlight the key part,
    (1)In policy select LOCAL_SNAT_IP as local policy, and REMOTE_NETWORK as remote policy.

    (2)In inbound/outbound traffic NAT, 
    Under Outbound Traffic, enable Source NAT. Setup like this, 


    3. Add a policy route to enforce traffic from 10.0.1.0/24 to 10.96.0.0/11 go into the VPN tunnel


All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Which device are you using?
    AFAIK the DNAT/SNAT setting is into the tunnel section, into advanced options.
  • Hello Montana, the firewall is a USG20 VPN. The company that manages the network in which I should connect gave me these parameters: As for the encryption domain, the class 10.96.0.0/11 indicates the network of points of sale that can be reached (aggregates all the remote / 24) .The IP 172.31.167.7/32 instead has been dedicated to you to nate your traffic in phase2

    My client's network is 10.0.1.0/24

    Can you help me understand where I need to configure this thing?

     







  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Answer ✓
    @Mattia_Tecnosoft_Srl

    Customer network IP is 10.0.1.0/24, and the NAT(Fake) IP 172.31.167.7/32.
    the subnet mask on customer network and NAT IP need to be the same .(since it’s One IP mapping to one IP)

    Therefore, the NAT IP: 172.31.167.7/32(need to modify to slash 24)
    As your scenario, you can reference this thread

    https://businessforum.zyxel.com/discussion/509/how-can-the-inbound-destination-nat-be-used-to-hide-the-server-s-real-ip-via-a-vpn-tunnel

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @Mattia_Tecnosoft_Srl,
    Here the configuration steps,
    1. Create address objects
    (1)Create address object of your local network 10.0.1.0/24
    ex. object name: LOCAL_NETWORK, type: SUBNET, network: 10.0.1.0/24, netmask: 255.255.255.0
    (2)Create address object of remote network 10.96.0.0/11
    ex. object name: REMOTE_NETWORK, type: SUBNET, network: 10.96.0.0, netmask: 255.224.0.0
    (3)Create address object of VPN traffic source NAT IP
    ex. object name: LOCAL_SNAT_IP, type: HOST, IP address: 172.31.167.7
     
    2.Setup IPSec phase 2
    Assume you know hot to setup a VPN connection rule (phase2) on USG20-VPN.
    Here just highlight the key part,
    (1)In policy select LOCAL_SNAT_IP as local policy, and REMOTE_NETWORK as remote policy.

    (2)In inbound/outbound traffic NAT, 
    Under Outbound Traffic, enable Source NAT. Setup like this, 


    3. Add a policy route to enforce traffic from 10.0.1.0/24 to 10.96.0.0/11 go into the VPN tunnel


Security Highlight