Masking VPN source address

Options
pck
pck Posts: 2
First Comment
edited April 2021 in Security

I have 2 USG40 that connects site A (192.168.48.0/29) with site B (192.168.0.16/29) with IPSec VPN. Site A has a server (192.168.48.3) that connects to site B server (192.168.0.18). The server of site A start a TCP connection to Server B that is in listening mode. For security reasons we like to configure Server B to accept connection that has source address of local network (192.168.0.18/29). The question is if is possible to mask server A source address (192.168.48.3) in VPN on Site B in order to behave as local host of Site B? The USG LAN IP at Site A is 192.168.48.1 and USG LAN IP on Site B is 192.168.0.22   

All Replies

  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2019
    Options
    I think it's not possible.

  • pck
    pck Posts: 2
    First Comment
    edited March 2019
    Options

    Many thanks for the reply. After lot of testing I found a solution that is working. At site B, I activate the Source NAT at phase 2 with source (Site A Subnet 192.168.48.0/29), Destination (Site B Subnet 192.168.0.16/29) and SNAT (Site B LAN IP 192.168.0.22). This is working but if you go to Monitor -> System Status -> Session Monitor at Site B the source address remains at the original (192.168.48.3) :)  

  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    You should capture packet on Site B server to check if the source IP changed ti 192.168.0.22

Security Highlight