How SNAT through existing IPSec tunnel - routing problem

Hi Daniel, 

Local networks should consist of the networks behind the UTM; which are to allowed access from the remote site. I think the Customer needs the local network traffic to be NATed via 66.x.x.x IP range. Is that the requirement?

Thanks 

Hi Sachin,

actually I have received only a single adress for NAT. So I think I can only use one host at a time to access there systems. Yes, they want our local IP to be NATted to the 66.x.x.x address when we try to access their network.

Thanks
Daniel

you can nat as many host as you want to the 66.x adress.

and x-host can work at the same time... they are all natted to these one adress then..

give us some screenshots and we can help more to find your config problem

Sure. Sorry the screenshots took a while. Here we go:

IPSec Connection:  Remote Gateway:  SNAT rule: 

Thank you very much.

If you have a firewall rule it should work...

if you dont have a rule... edit your ipsec-conn and mark "automatic firewall rules" for the first tests ;-)

Ok, I did already try with automatic and manual rules but failed. I now tried again but the result is the same. So I guess I have to ask the customer to check their side again?

first check if the traffic is nattet and will go into the tunnel.

easiest way to do that is a manual firewall rule for the tunnel traffic and set the rule to log.

then open debug window in paket-filter and check if traffic flow into the tunnel. you should see the natting also in the debug. 

if that is all ok then yes... the other side needs to check their config again...

first check if the traffic is nattet and will go into the tunnel.

easiest way to do that is a manual firewall rule for the tunnel traffic and set the rule to log.

then open debug window in paket-filter and check if traffic flow into the tunnel. you should see the natting also in the debug. 

if that is all ok then yes... the other side needs to check their config again...

also you need a snat rule for every remote network you defined in your ipsec tunnel.

its not a good practice to use groups here... i have seen configs with groups which did not work as expected... maybe bug in UTM..

Hi zaphod,

I have already configured multiple SNAT rules for each destination network. I just put only one screenshot here for simplicity.

Also I have an answer from the customer now that told me that not all ports are open and ICMP is blocked for example. Harhar... :-(

grmpf..... seems all problems are on the customers side ;-)

just a question: what do you mean by "then open debug window in paket-filter and check if traffic flow into the tunnel". it that the firewall log? I see that the NAT rule is applied but I don't see if the traffic reaches the tunnel. how can I check that?

yes i mean firewall live log.

depends on which rule you use... if automatic then you can change the automatic rule to log the traffic.

if you manual add the firewall rule for the tunnel traffic then you have to enable logs there to see your traffic.

Thank you very much for your help. It turned out now that on our side everything is ok. I verified in a remote session with the customer that traffic generated for the remote network goes through the tunnel and reaches the other side but there is a problem over there. I consider it fixed on my side. :-)

No Problem :-)

Please mark this thread as answered...