IPsec VPN with NAT

Options
SMarkG
SMarkG Posts: 14
First Anniversary Friend Collector First Comment
We are soon to start using a software system that is hosted by the softwre supplier. To allow our staff to connect to it they require us to set up a site-to-site VPN. I've never done this before but have read the tutorials and I think I'm OK with the process of setting up the VPN Gateway and Connection.

However, they have also asked that we NAT our subnet behind a single /32 IP address that they have provided. I'm happy with the principle of that but I'm not sure how to actually set it up on my firewall.

Could someone give me an idiots guide on how to proceed please? I'm using a ZyWall 310.

Thanks in advance.

All Replies

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
  • SMarkG
    SMarkG Posts: 14
    First Anniversary Friend Collector First Comment
    Options
    Thanks very much @Fred_77 and @PeterUK. I'm sure I read those article previously (I've read so many trying to figure this out that I've lost track!). However, if I've understood it correctly, the 'NATted subnet' and the local subnet have to be the same size (so there's a 1:1 translation between the 'real' IP addresses and the addresses presented to the remote peer). The help section for the VPN Connection says,

    Outbound Traffic
    SourceSelect the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).

    DestinationSelect the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the remote network.

    SNATSelect the address object that represents the translated source address (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).

    But we've been asked the following "We prefer you to NAT your subnets behind a single /32 IP.  An IP is reserved by us on our system on a per customer basis whenever this is possible. NATting your subnets means we do not need to know your physical subnet ranges and you can change your subnets without effecting the Tunnel and your VPN connectivity."

    I'm struggling to understand how we do that whole subnet > single /32 IP thing, or if that's even possible. Isn't that Port Address Translation (PAT) rather than NAT? Or am I completely misinderstanding what's required here (as I said, I've never done this before!)?
  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2022
    Options

    Well I did this which is what you do your end:


    All the other end sees is 8.8.8.8 as the source.
  • SMarkG
    SMarkG Posts: 14
    First Anniversary Friend Collector First Comment
    Options
    Oh, I see! Must admit I didn't even think this was possible when I read "The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT)" in the help.

    So (to confirm I've got my head around this!) the Source is my local subnet (the one I want to 'hide'), the Destination is the subnet at the remote end (in this case the software supplier) and SNAT will be the single IP address they've provided to me and want me to NAT everything to???
  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    SMarkG said:

    So (to confirm I've got my head around this!) the Source is my local subnet (the one I want to 'hide'), the Destination is the subnet at the remote end (in this case the software supplier) and SNAT will be the single IP address they've provided to me and want me to NAT everything to???
    Yes I think thats what they want.
    in Policy for local policy you set single IP address they provide

     
  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    SMarkG said:
    Oh, I see! Must admit I didn't even think this was possible when I read "The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT)" in the help.
    looks like the help file needs updating.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 755  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @PeterUK, @SMarkG
    Thank for the correction. 
    The correct wording will be updateded in 5.31 UserGuide.
    Thank you
    Kevin
  • SMarkG
    SMarkG Posts: 14
    First Anniversary Friend Collector First Comment
    Options
    Thank you everyone for your help. It's making more sense to me now so I'll give it a try! :)

Security Highlight