Routing public class c over VPN Tunnel

KenPaul
KenPaul Posts: 4  Freshman Member
First Comment Friend Collector Fourth Anniversary
in Security

Hello,

Here is our setup.

Location A has public class C (1.1.1.0/24). Location B has a single public IP. Loc B has internal IPs 192.168.5.1/24. Both locations have ATP800 and are connected to each other VPN tunnel. Loc A vti IP 10.10.20.10. Loc B vti IP 10.10.20.20. On Loc A ATP, we have policy route to route 1.1.1.5 - 1.1.1.128 to Loc B over vti1 with SNAT (outgoing-interface). Loc A also has Many 1:1 Nat external IPs 1.1.1.5 - 128 to internal 192.168.5.5 - 128. Loc B has policy route of source 192.168.5.5 - 129 to 1.1.1.5-128 with next hop vti1 with SNAT (outgoing - interface).

The traffic from internet to say 1.1.1.5 works fine and is sent to 192.168.5.5. However, the servers at 192.168.5.x see all traffic is coming from 10.10.20.10. How can we fix that so it actually records the correct source IP?

Thanks.

Best Answers

  • PeterUK
    PeterUK Posts: 3,770  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited 9:26AM Answer ✓

    because your doing SNAT (outgoing-interface) set to none

  • zyman2008
    zyman2008 Posts: 227  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓

    Hi @KenPaul ,

    Internet —- 1.1.1.5-1.1.1.128-ATP800(A)-vtiA - - - vpn - - - vtiB- ATP800(B)-192.168.5.5-128

    If you want to keep the original source from Internet to the servers.

    Then you cannot set SNAT in policy route on both ATP800(A) & ATP800(B).

    Also, the traffic return from service port of servers can only go out to Internet through the tunnel to ATP800(A).

    In case, the service port of servers is TCP port 443.

    The policy route in ATP800(A) will be,

    any to 192.168.5.111-128, service: TCP443, next hop: vti-A, SNAT: none

    policy route in ATP800(B) will be,

    192.168.5.111-128 to any, source port: TCP443, service: any, next hop: vti-B, SNAT: none

All Replies

  • PeterUK
    PeterUK Posts: 3,770  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited 9:26AM Answer ✓

    because your doing SNAT (outgoing-interface) set to none

  • zyman2008
    zyman2008 Posts: 227  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓

    Hi @KenPaul ,

    Internet —- 1.1.1.5-1.1.1.128-ATP800(A)-vtiA - - - vpn - - - vtiB- ATP800(B)-192.168.5.5-128

    If you want to keep the original source from Internet to the servers.

    Then you cannot set SNAT in policy route on both ATP800(A) & ATP800(B).

    Also, the traffic return from service port of servers can only go out to Internet through the tunnel to ATP800(A).

    In case, the service port of servers is TCP port 443.

    The policy route in ATP800(A) will be,

    any to 192.168.5.111-128, service: TCP443, next hop: vti-A, SNAT: none

    policy route in ATP800(B) will be,

    192.168.5.111-128 to any, source port: TCP443, service: any, next hop: vti-B, SNAT: none

  • KenPaul
    KenPaul Posts: 4  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    Thank you @zyman2008 and @PeterUK!! That worked.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)