Routing public class c over VPN Tunnel
Hello,
Here is our setup.
Location A has public class C (1.1.1.0/24). Location B has a single public IP. Loc B has internal IPs 192.168.5.1/24. Both locations have ATP800 and are connected to each other VPN tunnel. Loc A vti IP 10.10.20.10. Loc B vti IP 10.10.20.20. On Loc A ATP, we have policy route to route 1.1.1.5 - 1.1.1.128 to Loc B over vti1 with SNAT (outgoing-interface). Loc A also has Many 1:1 Nat external IPs 1.1.1.5 - 128 to internal 192.168.5.5 - 128. Loc B has policy route of source 192.168.5.5 - 129 to 1.1.1.5-128 with next hop vti1 with SNAT (outgoing - interface).
The traffic from internet to say 1.1.1.5 works fine and is sent to 192.168.5.5. However, the servers at 192.168.5.x see all traffic is coming from 10.10.20.10. How can we fix that so it actually records the correct source IP?
Thanks.
Best Answers
-
because your doing SNAT (outgoing-interface) set to none
0 -
Hi @KenPaul ,
Internet —- 1.1.1.5-1.1.1.128-ATP800(A)-vtiA - - - vpn - - - vtiB- ATP800(B)-192.168.5.5-128
If you want to keep the original source from Internet to the servers.
Then you cannot set SNAT in policy route on both ATP800(A) & ATP800(B).
Also, the traffic return from service port of servers can only go out to Internet through the tunnel to ATP800(A).
In case, the service port of servers is TCP port 443.
The policy route in ATP800(A) will be,
any to 192.168.5.111-128, service: TCP443, next hop: vti-A, SNAT: none
policy route in ATP800(B) will be,
192.168.5.111-128 to any, source port: TCP443, service: any, next hop: vti-B, SNAT: none
0
All Replies
-
because your doing SNAT (outgoing-interface) set to none
0 -
Hi @KenPaul ,
Internet —- 1.1.1.5-1.1.1.128-ATP800(A)-vtiA - - - vpn - - - vtiB- ATP800(B)-192.168.5.5-128
If you want to keep the original source from Internet to the servers.
Then you cannot set SNAT in policy route on both ATP800(A) & ATP800(B).
Also, the traffic return from service port of servers can only go out to Internet through the tunnel to ATP800(A).
In case, the service port of servers is TCP port 443.
The policy route in ATP800(A) will be,
any to 192.168.5.111-128, service: TCP443, next hop: vti-A, SNAT: none
policy route in ATP800(B) will be,
192.168.5.111-128 to any, source port: TCP443, service: any, next hop: vti-B, SNAT: none
0 -
Thank you @zyman2008 and @PeterUK!! That worked.
0
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 165 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 364 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 262 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight