VPN tunnel and NAT rules

Reply
L0 Member

VPN tunnel and NAT rules

I have to create a VPN tunnel between two businesses.  The main objective is that company A needs to provide access to the following subnets to company B:

 

10.10.1.144/28

10.1.2.144/28

 

I've got all the tunnel info set up, and there is just a public IP address on each firewall as the peer IP.

 

For company A where the subnets are located, I'm struggling with the NAT rule needed to allow access to this range of IPs.

 

Would it look something like this:

 

source zone: vpn_untrust

destination zone: inside_trust

destination interface: any

source address: public IP of company B

destination address: public IP of company A

destination translation: subnets listed above

 

 

 

 

 

 

 

 

 

Highlighted
L7 Applicator

Re: VPN tunnel and NAT rules

hi @buck1

 

no

 

but first: is NAT at all needed? (is there an IP conflict on both sites?)

if there is no IP conflict then no nat is needed, just routing

 

if both sites have identical IP subnets, you will need to set up NAT, depending on which direction you need to communicate to

if site A only needs to connect to site B, you could replace these subnets at siteA with 2 different ones

eg. 192.168.0.0/28 + 192.168.0.16/28 while doing source nat to 192.168.0.250/24

 

SiteA

source zone: trust

destination zone: vpn

source address: lan subnet

destination address: 192.168.0.0/28 + 192.168.0.16/28

source translation: 192.168.0.250/24

 

route these (0 + 16) subnets into the tunnel

and set the tunnel ip to 192.168.0.250/24

 

siteB

rule1

source zone: vpn

destination zone: vpn

source address: 192.168.0.250

destination address: 192.168.0.0/28

destination translation: 10.10.1.144/28

 

rule2

source zone: vpn

destination zone: vpn

source address: 192.168.0.250

destination address: 192.168.0.16/28

destination translation: 10.1.2.144/28

 

and set the tunnel interface to 192.168.0.251/24

 

reaper - PANgurus.com
I drink and I know things
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!