Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 29 subscribers
  • Views 21668 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to SNAT SSL VPN to LAN IP

curto21

I am deploying an XG fireall to replace our existing UTM firewall which is being moved to another location.  Our corporate IT LAN network is behind the XG firewall with about 20 client networks which connect via IPSEC site to site VPNs.  From the corporate IT LAN we can access all client networks on the other side of the IPSEC tunnels.  

We also utilize an SSL VPN to remote into the IT network when we need to provide support to the remote clients.  

The problem I am having is when I am connected via the SSL VPN, I cannot route to the client networks. Now I know the problem. The IPSEC configurations do not include the SSL VPN subnets and therefore are not routable.  I could fix this by going through and reconfiguring each IPSEC tunnel to include the SSL VPN subnet, but that seems like a lot of work when Source NAT could easily solve my problem.  In fact, we have been running source NAT on the UTM configuration for years and it has worked great.  I just can't figure out how to do this on the XG.  

Essentially, I need an SSL VPN client to be masked (SNAT) as an IP on the LAN IT network since all remote client networks already know how to route back to the LAN IT network.  

Does anyone have any input on how this might be accomplished?  

 

 

LAN IT (10.255.255.0/24)

SSL VPN (10.242.2.0/24)

Sample Remote Client Network (10.2.48.0/24)

 

Hope this makes sense.

 



This thread was automatically locked due to age.
  • 0

    Curto21,

    go to Profiles > NAT and create a proper IP range, then on the firewall rule SSL VPN to Site to site, change the "use the outbound address" the new NAT you have created.

    Let us know if it works.

    Thanks

  • 0 in reply to lferrara

    When you say "proper IP range" what should I be using?  In the past, I set a secondary LAN interface on the UTM and used that interface as the source IP.  In this case, I have just used the IP address of the internal LAN interface of the XG. But that doesn't seem to be working.  

     

  • 0 in reply to curto21

    I have the same issue :-(

    Created an IP Host under "host and Services" 
    Setup a NAT rule under  "Profiles" and used the IP Host
    Change the FW rule to use the NAT rule....

    No answer from remote location!?!!?!


    Have used this trick several time on the UTM with good result every time

  • +1

    Remote access vpn networks/users cant access to ipsec remote site network but can access head office network. Remote access ip is 10.81.234.6 and try to reach to remote site machine 192.168.3.20/24. It needs to be achieved using SNAT method which UTM9 uses.

    Not working Packet Capture taken on Head office Firewall



    Below is IPSec site to site setup,


    Even if ipsec site to site is successfully setup but it doesn’t add route for remote site in default routing table but it uses custom method to tag and route ipsec site to site Local and Remote networks traffic.

    SFVUNL_SO01_SFOS 16.05.7 MR-7# route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 Port5
    10.81.234.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
    10.176.200.0    0.0.0.0         255.255.255.0   U     0      0        0 Port2
    10.255.0.0      0.0.0.0         255.255.255.0   U     0      0        0 GuestAP
    192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 Port1

    Action

    --------

    -Create a NAT profile for ip address 192.168.4.2.
    -Create a rule name can be any and set source zone as VPN and destination zone as VPN. In NAT & Routing section , Select Rewrite Source address (Masquerading) -->Use 192.168.4.2 as Outbound Address. Please make sure that 192.168.4.2 is excluded from DHCP assignment. 
    -Setup Remote access vpn and add remote site network (192.168.3.0/24) so it will be push into remote users' computer and add into route section when connected using  SSL vpn.
    -Go to command line of Head office firewall and add route for ipsec. It is needed because when traffic comes from SSL vpn via tun0 interface for destination network 192.168.3.0/24 and if it doesn't have specific route then it try to send using default route that is WAN interface so it wont work. In XG when ipsec site to site is setup it uses different way adding local and remote site traffic. Where SSL VPN looks into default routing table to match destination network.

    console> system ipsec_route add net 192.168.3.0/255.255.255.0 tunnelname Case_7666490 (this is name your ipsec tunnel)

    SFVUNL_SO01_SFOS 16.05.7 MR-7# route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 Port5
    10.81.234.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
    10.176.200.0    0.0.0.0         255.255.255.0   U     0      0        0 Port2
    10.255.0.0      0.0.0.0         255.255.255.0   U     0      0        0 GuestAP
    192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
    192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 Port1

    Head office firewall VPN to VPN Firewall rule
    ---------------------------------------------------

    Working packet capture of SSL VPN using SNAT to reach Remote site (192.168.3.0/24)

    Head office
    ---------------

    -Firewall rule is 5 above provided




    Remote site
    ----------------

    Remote Site Firewall rules id 3 (VPN - LAN)