Network/NAT

noc_aba
noc_aba Posts: 31  Freshman Member
First Comment Fourth Anniversary

I have a working IPSEC VPN between site1 and site2, so that lan1 and lan2 can communicate.

I would like to map a public IP of site1 to a host of lan2.

Setting up a virtual server from publicIPsite1 to site2hostIP and adding a route to site2hostIP via the VPN tunnel doesn't work.

I suppose because the VPN tunnel allow traffic just between the lan1 and lan2 IP network.

So I've searched a way to snat the external IP accessing the publicIPsite1, but didnt' find anything.

Is there a solution ?

many thanks

Paolo

All Replies

  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary

    forgot to say I'm on a ATP500 vith fw 5.39 patch1

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Was able to do that here

    Connecting client for port 5126 > WANIP Zywall 110 > site to site > USG40 > host for port 5126

    Zywall 110
    LAN2 192.168.138.0/28
    site to site
    local policy 192.168.138.0/28
    remote policy 192.168.255.64/28

    NAT
    incoming WAN
    external IP WAN
    internal IP 192.168.255.66
    port 5126

    Routing
    incoming tunnel
    next hop WAN
    SNAT outgoing-interface

    incoming any
    destination 192.168.255.64/28
    next hop VPN tunnel

    USG40
    VLAN48 192.168.255.64/28
    site to site
    local policy 192.168.255.64/28
    remote policy 192.168.138.0/28

    Routing
    incoming VLAN48
    next hop VPN tunnel

  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary

    Hi, thanks, I tried your configuration but it didn't work.

    The only difference, respect to what I did before you answer, is your policy route:

    incoming tunnel

    next hop WAN

    SNAT outgoing-interface

    I suppose that by tunnel you mean the tunnel between USG110 and USG40, but what I think I need is to SNAT the IP accessing the WAN IP of the USG110, so that the internal IP masquerading it can reach the host behind the USG40, going through the tunnel.

    In your configuration you snat what's coming from the tunnel while the problem is before, to go into the tunnel, IMHO.

    In any case thanks for your kinf contribution

    Paolo

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    that why you do routing

    incoming any

    destination 192.168.255.64/28

    next hop VPN tunnel

    so that the NAT rule for 192.168.255.66 routes down the tunnel

  • noc_aba
    noc_aba Posts: 31  Freshman Member
    First Comment Fourth Anniversary

    many thanks.

    The remote firewall, not under our control, didn't have the route policy to use the tunnel for any destinationwhen the source was the remote host.

    Added that route it works

    Paolo

Security Highlight