IPsec VPN with NAT

SMarkG
SMarkG Posts: 14  Freshman Member
First Comment Friend Collector Second Anniversary
in Security
We are soon to start using a software system that is hosted by the softwre supplier. To allow our staff to connect to it they require us to set up a site-to-site VPN. I've never done this before but have read the tutorials and I think I'm OK with the process of setting up the VPN Gateway and Connection.

However, they have also asked that we NAT our subnet behind a single /32 IP address that they have provided. I'm happy with the principle of that but I'm not sure how to actually set it up on my firewall.

Could someone give me an idiots guide on how to proceed please? I'm using a ZyWall 310.

Thanks in advance.

All Replies

  • Fred_77
    Fred_77 Posts: 120  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary
    Hi @SMarkG

    this article might help...
    https://support.zyxel.eu/hc/en-us/articles/360001378633-How-to-setup-SNAT-in-a-VPN-tunnel

    Fred
  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    I think this is the setup you want
    [ZyWALL/USG] How to configure VPN SNAT on Zyxel gateways – Zyxel Support Campus USA
  • SMarkG
    SMarkG Posts: 14  Freshman Member
    First Comment Friend Collector Second Anniversary
    Thanks very much @Fred_77 and @PeterUK. I'm sure I read those article previously (I've read so many trying to figure this out that I've lost track!). However, if I've understood it correctly, the 'NATted subnet' and the local subnet have to be the same size (so there's a 1:1 translation between the 'real' IP addresses and the addresses presented to the remote peer). The help section for the VPN Connection says,

    Outbound Traffic
    SourceSelect the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).

    DestinationSelect the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the remote network.

    SNATSelect the address object that represents the translated source address (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).

    But we've been asked the following "We prefer you to NAT your subnets behind a single /32 IP.  An IP is reserved by us on our system on a per customer basis whenever this is possible. NATting your subnets means we do not need to know your physical subnet ranges and you can change your subnets without effecting the Tunnel and your VPN connectivity."

    I'm struggling to understand how we do that whole subnet > single /32 IP thing, or if that's even possible. Isn't that Port Address Translation (PAT) rather than NAT? Or am I completely misinderstanding what's required here (as I said, I've never done this before!)?
  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 2022

    Well I did this which is what you do your end:


    All the other end sees is 8.8.8.8 as the source.
  • SMarkG
    SMarkG Posts: 14  Freshman Member
    First Comment Friend Collector Second Anniversary
    Oh, I see! Must admit I didn't even think this was possible when I read "The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT)" in the help.

    So (to confirm I've got my head around this!) the Source is my local subnet (the one I want to 'hide'), the Destination is the subnet at the remote end (in this case the software supplier) and SNAT will be the single IP address they've provided to me and want me to NAT everything to???
  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    SMarkG said:

    So (to confirm I've got my head around this!) the Source is my local subnet (the one I want to 'hide'), the Destination is the subnet at the remote end (in this case the software supplier) and SNAT will be the single IP address they've provided to me and want me to NAT everything to???
    Yes I think thats what they want.
    in Policy for local policy you set single IP address they provide

     
  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    SMarkG said:
    Oh, I see! Must admit I didn't even think this was possible when I read "The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT)" in the help.
    looks like the help file needs updating.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 897  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @PeterUK, @SMarkG
    Thank for the correction. 
    The correct wording will be updateded in 5.31 UserGuide.
    Thank you
    Kevin
  • SMarkG
    SMarkG Posts: 14  Freshman Member
    First Comment Friend Collector Second Anniversary
    Thank you everyone for your help. It's making more sense to me now so I'll give it a try! :)

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)