Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1782 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT to host behind IPSec-Tunnel

DiePlage
Hello Folks,

I try to create a DNAT rules that forwards incoming traffic to a host on the remote-siede of an IPSec tunnel. This is the setup:

ASG1:
External: 111.111.111.2/29
internal: 192.168.1.1/24

ASG2:
External: 111.111.222.2/29
internal: 192.168.2.1/24
internal Webserver 192.168.2.10

LAN ASG1 & LAN ASG2 are connected with an IPSec-tunnel.
Unfortunately there are no free external IPs left at ASG2.

So my idea was to add an extra external IP to ASG1's external Interface say 111.111.111.3 and create a DNAT rule like this: any -> 111.111.111.3:80tcp DNAT 192.168.2.10:80tcp

I can ping 192.168.2.10 from ASG1 and I can reach the Webserver from LAN ASG1.
If I try to access http://111.111.111.3 I can see the DNAT Rule allowing traffic to 111.111.111.3:80 and a packetfilter rule allowing traffic to 192.168.2.10:80

However, I cannot reach the webserver and there are no dropped or allowed packets in ASG2's packetfilter log (ASG2 is set to log every packet).

From this observation I suppose that no traffic reaches ASG2 and I must have made a mistake in my thinking.

Thank you for any hints!

Cheers!


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson
    Let's see if I got that right:

    I assume that without full NAT the incoming packet cannot traverse the ipsec tunnel because it's source entry (any public IP) does not match LAN1 or anything else in the list of left-hand networks of the IPSec-tunnel? Therefore no usable SA exists.
    With full NAT I changed the source field of the package to the internal IP of ASG1 and the incoming traffic can now be routed through the tunnel.