Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Nat Over vpn

Jez222Jez222 Newbie ✭
edited February 23 in Mid Range Firewalls

Hi,

Total newbie here, I am trying to setup a site to site vpn with a 3rd party but I need to NAT my side as our LAN network is already in use by another company connected to the 3rd party.

We have successfully established an ipsec connection however there is no traffic as I am stuck on how to setup the NAT.

I tried following the tech help on this subject but that didnt help me https://www.sonicwall.com/es-mx/support/knowledge-base/how-can-i-configure-nat-over-vpn-in-a-site-to-site-vpn/170515155805172/

Can anyone help? I have an NSA 2600

Category: Mid Range Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Cybersecurity Overlord ✭✭✭
    Accepted Answer

    Create an address object for the subnet you are to use for the VPN NAT(172.26.12.x). In the VPN tunnel properties you enable 'Apply NAT policies', set your local translated as the address object for 172.26.12.x, and remote translated as original.

    You do not need to manually create a NAT policy when setting the NAT in the VPN tunnel properties.

    Hope that helps.

Answers

  • @Jez222,

    Welcome to the SonicWall community.

    In your case, I think the NAT is only required on your end and not on the remote side. If the VPN is already up, it means the networks are matching.

    I think it would be best to check if you see any traffic on the associated NAT policy and perform packet captures.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Jez222Jez222 Newbie ✭

    Hi Shipra,

    Many thanks, you are correct, the NAT is only required at my end because my current network (172.28.12.0./23) is in use by another company who use 172.28.0.0 /16

    We have agreed that my side can be natted to 172.26.12.0/23 but here in lies the issue for me.

    I am not sure how to setup the NAT on my NSA2600

    Do I create an address group with my current and and translated current?

    172.28.12.0./23

    172.26.12.0/23

    If so how do i apply that to the VPN policy?

    In the Policy window under:

    General - Everything agreed with 3rd party and set correctly

    Network - Local Network is x0 Subnet - Remote Networks 3rd party network set correctly (10.216.0.0/16)

    Proposals - Everything agreed with 3rd party and set correctly

    Advanced - 2 things checked - Enable Keep alive and Apply NAT Policies

    Under NAT Policies

    Local Translated - Is this Address group (172.28.12.0./23+172.26.12.0/23) or Address Object? (172.26.12.0/23)

    Remote Translated - Original



    Many thanks for your support

  • LiorLior Newbie ✭

    JEZ222  you should be using a Local Translated "Address Object" (172.26.12.0/23) not the address group since you've already specified the network as X0 Subnet

  • Jez222Jez222 Newbie ✭

    Thanks Lior but to create the NAT do I create the group with local and translated network? Thats it?

  • Jez222Jez222 Newbie ✭
    edited February 24

    Now there is an issue with traffic

    event="IPsec bad payload length"

    local_net=10.210.0.0/16,remote_net=172.26.12.0/23, remote_id=xxx.xxx.xxx.xxx, information="ipsec:bad_payload_len:1",

    reason="Received an IPsec packet with a payload length which is not a multiple of the ESP encryption algorithm block size. This could indicate a truncated packet."


    The other side I am trying to connect to found an issue....can anyone here advise please?


    Many thanks

  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭

    Verify the Phase 1 and Phase 2 proposal configuration is correct on both sides of the tunnel.

    If the issue is on the other side, than it is their issue to figure out.

Sign In or Register to comment.