Solved: LIVEcommunity - IPSec VPN with overlapping networks - LIVEcommunity

Filip_Fronczak · ‎11-02-2018

To begin with I know the document Configuring IPSec VPN between overlapping networks.

Due to my lack of experience still I am not able to understand how I should create the NAT rules.

My objective is to configure the IPSec tunnel only on "my" side - one that will be accessed and should allow access to some servers in the 192.168.2.0/24 network.

Below I put some aqnonymised configuration info:

IKE Gateway

Parameter	Value
Version	IKEv1 only mode
Address type	IPv4
Local IP Address	a.b.c.99
Peer IP Address	x.y.z.255
Exchange mode	auto

IPSec Tunnel Proxy IDs

Parameter	Value
Local	10.0.2.0/24 (NAT 1:1 – original subnet 192.168.2.0/24 )
Remote	10.95.0.0/16

The overlapping network addresses are 192.168.2.0/24

I have to create a NAT rule to show them to the accessing partner as 10.0.2.0/24 network.

I would be grateful if someone could tell me how to create this NAT rule with static translation.

Thank You a LOT! :-)

Filip_Fronczak · ‎11-20-2018

Below is the configuration that finally worked.

Static Route

NAT

Security rules

View solution in original post

santonic · ‎11-02-2018

Let's say partners want to access server at 192.168.2.10. Chose an IP you will use for NAT, let's say it's 10.0.2.10 (though any from that network would do).

All you need is a static destination NAT: source 10.95.0.0/16, destination 10.0.2.10, Destination Address Translation 192.168.2.10 (with apropriate zones).

And also you will need a firewall rule to allow access with pre-NAT IP address and post-NAT destination zone.

Filip_Fronczak · ‎11-02-2018

I would like a rule that will translate any address in 192.168.2.0 into a coresponding address in 10.0.2.0 (192.168.2.1-->10.0.2.1, 192.168.2.2-->10.0.2.2 etc).

Can it bo done?

vsys_remo · ‎11-02-2018

@Filip_Fronczak wrote:
I would like a rule that will translate any address in 192.168.2.0 into a coresponding address in 10.0.2.0 (192.168.2.1-->10.0.2.1, 192.168.2.2-->10.0.2.2 etc).
Can it bo done?

Yes, this is possible.

Destination address object: 192.168.2.0/24
Destination translation address object: 10.0.2.0/24

Filip_Fronczak · ‎11-02-2018

Is this enough or should there be something more?

Do I need on my side a NAT rule to translate the source too or a rule in the other direction?

Sorry for asking basic questions...

IPSecVPN_1
{
to [ LAN_Servers ]; from [ IPSec_xxx ]; source [ any ]; destination [ 192.168.2.0/24 ]; service any; disabled no; destination-translation
{
translated-address 10.0.2.0/24;
}
}

vsys_remo · ‎11-02-2018

Ignore my last post ...

The NAT rule shoild look like this

Original source: 192.168.2.0/24
Original destination: 10.95.0.0/16
Type: Static IP
Translated source: 10.0.2.0/24
Translated destination: none

Filip_Fronczak · ‎11-02-2018

And what about the other way?

Traffic from the oher side that wants to arrive to servers in our network - 192.168.2.0/24?

vsys_remo · ‎11-02-2018

Check the bi-directional checkbox

Filip_Fronczak · ‎11-02-2018

So, it's this, right?

IPSecVPN_xxx-1
{
to [ IPSec_xxx ]; from [ LAN_Servers ]; source [ 192.168.2.0/24 ]; destination [ 10.95.0.0/16 ]; source-translation
{
static-ip
{
bi-directional yes; translated-address 10.0.2.0/24;
}
}
}

vsys_remo · ‎11-02-2018

Yes, looks correct.

Network Security

Cloud Security

Security Operations

IPSec VPN with overlapping networks

Show your appreciation!