Many-to-One NAT over VPN?
Hi, we have a TZ570. I'm trying to set up a site-to-site VPN that requires that our LAN network be NAT'd behind a public IP that is different than the X1 IP. The X1 IP is used as the peer address. The partner is a much bigger company and seems unwilling to provide any changes on their end, insisting their end is correct. I have tried creating NAT rules, as well as using the "Apply NAT policies" in the VPN configuration. And I just can't seem to get it working. Any tips to point me in the right direction would be much appreciated.
TKWITS Community Legend ✭✭✭✭✭
Ciscos will hide some settings in the raw config file unless it is explicitly defined, so while its possible it could be part of your issue I cannot say for sure.
At this point I would work with the 3rd party and have them run a packet capture on their device looking for traffic from mine. You have already verified your device is sending but not receiving. If their device is not receiving your packets than there is something else going on.0
When you say it isn't working, is the tunnel itself not coming up or the traffic isn't passing through?
You should be able to use any other IP as well for the NAT as long as the same IP is used in the remote end as the local IP.
Technical Support Advisor, Premier Services
Have you looked at this?
Yes, I have looked at that article and others, but that is not what I am doing. Besides the usual IKE parameters, this data partner requires a peer IP and a source domain, but have to be public. The peer IP is my X1 ip address, and the source (encryption domain) is one of the other IP addresses with a /32. So, just like we NAT traffic to the internet, I want to NAT traffic to the resource at the data partner.
I'm glad you asked this. The tunnel is not coming up. Actually, I am getting no response from the partner side. The partner is telling me that it is my side that is the problem. In my experience, if the phase 1 or 2 parameters are not correct, I should get some kind of message in the logs or see it in a packet capture.
The partner is claiming that it is their ACL that is not allowing the tunnel to come up because I am not configured correctly. I disagree, which is why I'm on this forum doing a sanity check. It is my opinion that I can't even begin to verify/troubleshoot my NAT settings until after the tunnel is up. An ACL on their end is only for allowing interesting traffic into the network. Any IKE phase 1 or 2 is handled before that, usually be setting the peer in the phase 1 settings.
I am connecting to a Cisco, by the way. Not sure of the model.
Im not gonna argue with you, but this is what you are doing. NAT-ing traffic over a VPN. Just because the article is using private IPs doesnt mean the underlying information is wrong.
Anyways... if you are not even seeing IKE/ISAKMP traffic to/from their peer than something else is up. Doesn't matter what model Cisco they use, IKE/ISAKMP/IPSec are published standards.
Sanity check: did they give you a form to fill out? Double check if you provided them the correct peer address (your X1 IP address, hopefully it's a static public IP). Double check you have entered the correct peer IP for them. Do a packet capture after verifying.
I have had to to deal with many third parties (large Fortune 500 corporations included) for VPN tunnels and have had to do plenty of NAT over S2S VPN tunnels. A form makes it ten times easier to setup.
Thanks TKWITS. I don't mean to argue, just that the document talks about many-to-many nat. It was helpful enough and I verified my NAT config works on a VPN where I control both ends.
I only see the outgoing IKEv2 requests and nothing coming back. Yes, I do have a form:
IKE Version - IKEV2
Encryption Algorithm - AES-256
Hash Algorithm - SHA-256
DH - Group5,
ISAKMP Lifetime - 43200
IPSEC lifetime - 3600
Support Aggressive Mode - Main (I only had two choices here, aggressive or main. IKEv2 uses neither)
VPN Peer Device - X1 IP
Encryption Domain - /32 public IP I am using for Nat
They also shared with me some of their config:
crypto ikev2 policy xx
lifetime seconds 43200
crypto map vpn1 xxx match address xxxxx-ipsec
crypto map vpn1 xxx set peer X1 IP address
crypto map vpn1 xxx set ikev2 ipsec-proposal aes256-sha256
crypto map vpn1 xxx set security-association lifetime seconds 3600
tunnel-group X1 IP address type ipsec-l2l
tunnel-group X1 IP address ipsec-attributes
ikev2 remote-authentication pre-shared-key PSK
ikev2 local-authentication pre-shared-key PSK
I have read a couple of issues where the Cisco PRF was set to SHA and that was causing the issue. However, I don't see that setting on their config. Could that still be an issue?