Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NAT over IPSEC scenario

Hi!

I have this scenario on a customer of us.

Two offices connected between them by site-to-site IPSEC VPN with "main mode".

There are two networks on each office. The VPN is working fine.

Now, I am being asked to do NAT just when one network from one office wants to reach another network from the other office.

Is this possible? To do NAT over IPSEC just with an specific source and destination?

Is there a way I can do the NAT rules, and not select "apply NAT" on IPSEC advanced options?

Category: Mid Range Firewalls
Reply

Answers

  • AjishlalAjishlal Enthusiast ✭✭
  • Hello @SEBASTIAN,

    Yes, it can certainly be done. If you do not wish to apply the NAT policy directly on the VPN policy's advanced settings, you would need to choose the translated address directly as the local network and create the NAT policies independently.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Hi!

    I did some tests and these are the results.

    TEST 1:

    If I create a site-to-site VPN (main mode) the only way to do NAT from a specific source to a specific destination is using the advanced "apply nat policies" option. But this is not what I am looking for.

    Let´s remember:


    I only want to do a translation to 192.168.50.0/24 when 192.168.1.0/24 wants to reach 192.168.2.0/24.


    TEST 2:

    If I create the VPN with "Tunnel Interface", I still can enable "Apply Nat Policies" on advanced options, but the NAT rule has to be made at Policies menu, NAT Policies. From there I am able to configure the NAT rule as I want.


    So, TEST 2 is valid for me.

    But I am wondering if I am doing anything wrong on TEST 1 since it is not working as I want it to.

  • Hello @SEBASTIAN,

    For test case 1, I would suggest having both 192.168.1.0/24 and 192.168.50.0/24 in the local networks field on the VPN and then not applying the NAT on the VPN policy itself. After this you can add the NAT separately that translates 192.168.1.0/24 to 192.168.50.0/24 only if the destination is 192.168.2.0/24. For the 192.168.3.0/24, the traffic will go as it is.

    I hope that helps!

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Hi!

    Yes, this is exactly what I am doing for TEST 1. Interesting traffic for VPN source is 192.168.1.0/24 and 192.168.50.0/24 and destination 192.168.2.0/24 and 192.168.3.0/24

    Unfortunately it is not working.

    I can see from Site B that IPSEC FASE 2 for 192.168.50.0/24 is not up. So, I guess something is wrong with NAT rule on Site A.

    Curious, since it is the same NAT rule I used for TEST 2.

  • @SEBASTIAN,

    Is the remote end also a SonicWall? Also, you have included both 192.168.1.0/24 and 192.168.50.0/24 as the remote network on VPN policy on the remote end right?

    The NAT policy is not checked while forming the SA for the VPN. That takes place only when the data needs to be sent across. If the phase 2 is not up, this is a VPN related configuration issue.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Yes, the remote end is also Sonicwall.

    192.168.1.0/24 and 192.168.50.0/24 are included as the remote networks for SITE B.

    If I do a NAT rule on SITE B for traffic coming from 192.168.1.0/24 (translated to 192.168.50.0/24) to 192.168.2.0/24 seems to work. I have to test it with real traffic. Not just a PING.

    I am wondering why NAT Rule is not working on Site A before passing the VPN.

  • @SEBASTIAN,

    That does seem weird. Please check the NAT policy's priority on Site A. Let us know how it goes.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Sorry, NAT priority is fine.

Sign In or Register to comment.