Flex 700 Remote S2S branches with same LAN IP (cannot be touched)
Freshman Member
So fellas, I ran out of ideas. I have 2 S2S branches with the same LAN IP. So far I was unsuccessful with whatever NAT I tried on the central endpoint. What I am missing is that the Flex FW let me NAT a fake destination (one of the remote sites) match the tunnel and THEN does NAT - like any other FW I know.
e.g. my real address 10.10.10.0/24
Real destination A: 11.10.10.0/24
Real destination B: 11.10.10.0/24
obviously that does not work
So I make up a fake remote IP 11.11.10.0/24 so that I ping from my network
10.10.10.1 to the fake address 11.11.10.1 but I dont see the option for my OWN destination IP to NAT to a different one and STILL match the tunnel traffic.
Any ideas or is that just not possible?
All Replies
-
Its can be done by Site to Site Advance Inbound/Outbound traffic NAT you have to change both sides of the Site to Site to work so the tunnel works correctly its been some time since I used it but here is some more info to setup.
[ZyWALL/USG] How to configure VPN SNAT on Zyxel gateways – Zyxel Support Campus USA
0 -
Unfortunately, that is exactly what i dont want. i dont want to change the remote site. So far from what i gather is, that Zyxel just cannot do it because its not full feature NAT capable due to design in handling what comes first… Especially since NAT exists in 2 different places, unlike if i look at Cisco or Palo or any other for that matter.
0 -
Have done a setup that can do it here is what I did
site A 192.168.255.80/28 PC at 192.168.255.82
site B 192.168.255.80/28 PC at 192.168.255.82
site A Local policy 10.254.0.0/28 remote policy 10.255.0.0/28
Inbound/Outbound traffic NAT
source NAT
source 192.168.255.80/28
destination 10.255.0.0/28
SNAT 10.254.0.0/28
destination NAT
Original IP 10.254.0.0/28
mapped IP 192.168.255.80/28site B Local policy 10.255.0.0/28 remote policy 10.254.0.0/28
Inbound/Outbound traffic NAT
source NAT
source 192.168.255.80/28
destination 10.254.0.0/28
SNAT 10.255.0.0/28
destination NAT
Original IP 10.255.0.0/28
mapped IP 192.168.255.80/28when you ping 10.255.0.2 from site A it will go from 192.168.255.82 SNAT 10.255.254.0 then NAT 10.255.0.2 on site B to 192.168.255.82
when you ping 10.254.0.2 from site B it will go from 192.168.255.82 SNAT 10.255.255.0 then NAT 10.254.0.2 on site A to 192.168.255.82
0 -
Hi @AMI,
To ensure we fully understand your requirement and avoid any misunderstanding, we would like to confirm a few points first:
- Are you expecting a setup where NAT is performed before the traffic enters the VPN tunnel? Or something else?
- Also, making configuration changes on the remote branch firewalls is not allowed?
Additionally, it would be very helpful if you could provide more details about your usage and needs, so we can better understand your scenario and offer a more accurate suggestion. For example:
- Do you require bidirectional communication, or would one-way access be sufficient? (e.g., only Site A can access Site B)
- What type of VPN are you currently using — policy-based or route-based VPN?
- Do you require 1:1 subnet mapping between the sites?
Zyxel Tina
0 - Are you expecting a setup where NAT is performed before the traffic enters the VPN tunnel? Or something else?
Guru Member
Zyxel Employee
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 223 Nebula Ideas
- 129 Nebula Status and Incidents
- 6.6K Security
- 638 USG FLEX H Series
- 357 Security Ideas
- 1.8K Switch
- 86 Switch Ideas
- 1.4K Wireless
- 54 Wireless Ideas
- 7K Consumer Product
- 301 Service & License
- 494 News and Release
- 93 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 88 About Community
- 109 Security Highlight
