11-16-2020 04:08 AM - edited 11-16-2020 05:26 AM
Hi there,
i want to finish an easy setup which needs a simple DNAT and forwarding into a VPN tunnel on my PA5020.
I've created a working VPN tunnel which is the destination for my traffic. And this works fine if i'm using the tunnel ip to reach targets inside the vpn destination network (192.168.5.0/24). To use this setup it is necessary to hide the destination network (192.168.5.0/24) behind free public NAT (1.1.1.0/24) adresses which we're using inside intranet. So i have a public space /24 to mask the private adresse space /24.
There are three zones configured: untrust ("internet" via ae2.400), VPN and trust ("intranet" via ae1.305). To prevent double use of private adresses i've created a second VR for the customer destination network and added the tunnel interface from zone VPN. And finally i have created a NAT policy which should map 1:1 the outgoing packets directioned to the public adresses (1.1.1.0/24) and change the destination to the private network (192.168.5.0/24), so these packets should routed inside vpn. But it's not.
I've tried a lot of different configurations with routing and NAT but finally i have no clue whats going wrong. The security policies don't block any traffic and the NAT policy counter counts my connection tries. Everything looks fine. But no way to get a working connection from intranet to the vpn.
How to set the routes properly to get my packets NATted and routed into the correct VR and finally inside the VPN?
Configuration ahead. I've changed the config a lot of times, so i'm sure everything looks now completely senseless 😉
Thanks in advance.
show routing route
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 3.3.3.1 10 A S ae2.400
10.0.0.0/8 172.30.224.129 10 A S ae1.305
1.1.1.0/24 0.0.0.0 10 A S ae1.305
172.16.0.0/12 172.30.224.129 10 A S ae1.305
172.30.224.128/27 172.30.224.133 0 A C ae1.305
172.30.224.133/32 0.0.0.0 0 A H
3.3.3.0/24 3.3.3.5 0 A C ae2.400
3.3.3.5/32 0.0.0.0 0 A H
192.168.0.0/16 172.30.224.129 10 A S ae1.305
total routes shown: 12
VIRTUAL ROUTER: CUSTOMER (id 2)
==========
destination nexthop metric flags age interface next-AS
3.3.3.99/32 0.0.0.0 0 A H
192.168.5.0/24 0.0.0.0 10 A S tunnel.99
show running nat-policy
"NAT-S2S-CUSTOMER; index: 2" {
nat-type ipv4;
from trust;
source any;
to trust;
to-interface;
destination 1.1.1.0/24;
service 0:any/any/any;
translate-to "dst: 192.168.5.0-192.168.5.255";
terminal no;
11-27-2020 02:05 AM
set the 1.1.1.0/24 subnet on the tunnel interface
add a route for the default VR to the customer VR for 1.1.1.0/24 (next hop VR)
and add your internal subnets on the customer VR as a next hop to default VR
then set the NAT rule from trust to vpn with 1.1.1.0/24 original , and 192.168.5.0/24/24 static destination NAT
and set the security rule from trust to vpn destination 1.1.1.0/24 (security uses pre-nat IPs)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
