Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 19572 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC with SNAT problem

SimonKeel

Hi, I have successfully set up an IPSEC VPN tunnel to a counter-party. However, they see my local IP address when I connect to one of their servers from my desktop (192.168.x.y). Since this will only work when they see me with our public IP i have setup a SNAT rule which i also see to be applied in the live log of the Firewall (create firewall rules automatically set). However, the other party says they don't see any packets from our end with NAT enabled. What am I doing wrong here?



This thread was automatically locked due to age.
  • 0

    Hi Simon,

    do you have checked "Rule applies to IPsec packets" in the advanced properties of the snat rule?

    regards

    mod

  • 0
    hi mod2402, thanks for the hint, the checkbox is already set...
  • 0 in reply to SimonKeel
    How did you setup your SNAT?

    Traffic Selector: 192.168.0.0/24 -> ANY -> 192.168.1.0/24
    Source Translation: 192.168.0.10/32

    All traffic headed for 192.168.1.0/24 from 192.168.0.0/24 appears as 192.168.0.10 on the remote network.

    The IP address on the external interface is not used in the SNAT rule, just in the VPN connection as the Local Interface.

    You said in your first post that they can see all of your workstation IP, so they must have allowed your entire 192.168.x.y/24 subnet and that was working. You just need to NAT all those addresses behind a single address before sending it across the tunnel.
  • 0 in reply to TimBoggs

    Hi, here it is:

    So traffic from is our internal 192.168.x.y network, going to is the public Server IP of the target server and the change source to is simply our public IP. How can I be sure that the traffic is leaving the firewall and is routed through the IPCSEC tunnel?

  • 0 in reply to SimonKeel
    Check the firewall logs, the NAT will show up in white when it's hit and if you go to the firewall rules and change the view to "Auto created firewall rules" and edit the firewall rule for that NAT and set logging on it. Then you can see what the NAT does and what the firewall does after it's NATed.
  • 0
    Hi Simon - It's not clear whether this is a site-to-site tunnel or a Remote Access connection (not possible, I think). For a site-to-site, put "External (Address)" into 'Local Networks', DO NOT select 'Strict routing' and then, using Tim's subnet examples:

    Traffic Selector: 192.168.0.0/24 -> ANY -> 192.168.1.0/24
    Source Translation: External (Address)

    The other end must be correctly configured to see the IP of your "External (Address)" as your LAN. From your description, I guess that it is.

    Cheers - Bob
  • 0 in reply to BAlfson
    Hi Bob/All

    Thanks a ton for your help, adding the external into local networks actually solved the issue (its a site-to-site tunnel). Additionally, turning on the logging for the auto-generated rule did help to tack the issue.