Announcement

Collapse
No announcement yet.

NAT Tunnel down VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NAT Tunnel down VPN

    Hi,
    I have several VPNs(IPSEC) connected to our GB2000x.
    I host multiple websites and services through the GB2000x

    I need to have a NAT tunnel that NATs to an IP address at the end of one of these VPNs.

    I have tried already and it doesn't work.

    The simple setup is:
    NAT Tunnel
    Auto Policies
    GBAUTH
    Source ANY
    Destination - IP address on VPN network
    Does anyone know if this is even possible and if there is anything I've missed?
    Ask for more info if required.

    Thanks,

    Jeff

  • #2
    Originally posted by Aikidokajeff View Post

    I need to have a NAT tunnel that NATs to an IP address at the end of one of these VPNs.

    I have tried already and it doesn't work.

    The simple setup is:
    NAT Tunnel
    Auto Policies
    GBAUTH
    Source ANY
    Destination - IP address on VPN network

    Jeff
    Do you mean you need a host to hit a tunnel on one firewall external IP and re-direct it to via the VPN to a remote site and NAT the connection?

    Comment


    • #3
      I want an external user to connect to my firewall.
      I want to then NAT that traffic to a server.
      (If the server was on my network this would be simply putting in the server's IP address)
      I want the Address for the NAT to be on the (internal) network of a site connected via VPN.

      EG:
      Firewall internal Network: 10.0.0.0/16
      Remote Network (Down VPN tunnel): 10.10.0.0/16
      Client -> 123.123.123.1 -> NAT ->(Via VPN) -> 10.10.1.100 (Server)

      Hope this helps

      Comment


      • #4
        I've thought more about this while on holiday.

        From the firewall I cannot PING IP addresses on the remote network, using the network diagnostics.
        I can using a machine on the protected network behind the firewall.

        So, how can I create a static route on the firewall that will allow the firewall to talk directly to these IP addresses. I assume this is the reason the traffic is not NAT'ing.

        Thanks,

        Jeff

        Comment


        • #5
          Originally posted by Aikidokajeff View Post
          I've thought more about this while on holiday.

          From the firewall I cannot PING IP addresses on the remote network, using the network diagnostics.
          I can using a machine on the protected network behind the firewall.

          So, how can I create a static route on the firewall that will allow the firewall to talk directly to these IP addresses. I assume this is the reason the traffic is not NAT'ing.

          Thanks,

          Jeff
          Jeff this is not an issue of the firewall being able to talk directly to the remote network, but a function of the encryption rules (security assosciations) and the ping service on the firewall. The ping service will NAT (source) itself to interface it leaves to reach the remote network (typically external). However due to the source address not matching the encryption rules the packet is not encrypted (sent through the tunnel).

          To have the firewall ping service send traffic through a VPN tunnel you will need to use binding interface (located under the advanced tab on the [Monitor: Tools > Network Diagnostics] page) which will force the NAT (source) address to the interface that you select. This interface should be one that is assigned an IP address that is part of the VPN local network (if your firewall does not have its own address on the same local network as the VPN then it will not be possible to connect directly from or to the firewall through the VPN tunnel).
          Last edited by Morbo; 2012-06-11, 10:39.

          Comment


          • #6
            Thanks for your reply, that is indeed the problem regarding the ping.

            I have changed it to "PROTECTED" and it worked straight away.

            Sadly I'm still back to the start regarding sending the NAT traffic down the VPN.

            Anyone have any ideas or know what I'm doing wrong?

            Thanks,

            Jeff

            Comment


            • #7
              Jeff,

              You may be able to use PPTP or L2TP to have client come inbound then NAT back out. I am not sure if SSL or IPSec will do that for you.

              Comment


              • #8
                Thanks for your reply, but I don't think that is what I need.

                I need to be able to route, for example, HTTP traffic on port 80 from an alias on the firewall to an IP address at the other end of the VPN.

                I think it is the reverse of what you are suggesting.

                Thanks again for your reply, keep thinking though as I really need this to work.

                Jeff

                Comment


                • #9
                  Jeff I think this is possible but I dont know if this would be something you would want to use in a production environment unless you have a known (static) source IP.

                  If I were to try to set this up this is what I would do:
                  Inbound NAT
                  ---------------------
                  Service: HTTP
                  From: External Interface or alias
                  To: IP of server across the VPN
                  Auto policies enabled
                  Source: IP address of external host
                  --------------------

                  The next step is where I think you are falling into issues. You need to add the IP of the external host to your site to site. So on the firewall with the Inbound tunnel, add the external host's IP to the local network address object. On the firewall with the server, add the external host's IP to the remote network address object.

                  As a side note, I have not tried this kind of setup but if I were to attempt it the above is what I would try. Good luck.

                  Rick

                  Comment


                  • #10
                    I can see what you are getting at.
                    I am out of the office tomorrow, so will try this, if it is possible, soon.

                    Sadly this will bein a production environment, but only for a couple of users while servers are relocated between the sites.

                    Not ideal but it is what I have to work with.

                    thanks,

                    Jeff

                    Comment

                    Working...
                    X