Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Many-to-One NAT over VPN?

Hi, we have a TZ570. I'm trying to set up a site-to-site VPN that requires that our LAN network be NAT'd behind a public IP that is different than the X1 IP. The X1 IP is used as the peer address. The partner is a much bigger company and seems unwilling to provide any changes on their end, insisting their end is correct. I have tried creating NAT rules, as well as using the "Apply NAT policies" in the VPN configuration. And I just can't seem to get it working. Any tips to point me in the right direction would be much appreciated.

Category: Entry Level Firewalls
Reply

Answers

  • Hello @TSOL68,

    When you say it isn't working, is the tunnel itself not coming up or the traffic isn't passing through?

    You should be able to use any other IP as well for the NAT as long as the same IP is used in the remote end as the local IP.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • TSOL68TSOL68 Newbie ✭

    Yes, I have looked at that article and others, but that is not what I am doing. Besides the usual IKE parameters, this data partner requires a peer IP and a source domain, but have to be public. The peer IP is my X1 ip address, and the source (encryption domain) is one of the other IP addresses with a /32. So, just like we NAT traffic to the internet, I want to NAT traffic to the resource at the data partner.

  • TSOL68TSOL68 Newbie ✭


    I'm glad you asked this. The tunnel is not coming up. Actually, I am getting no response from the partner side. The partner is telling me that it is my side that is the problem. In my experience, if the phase 1 or 2 parameters are not correct, I should get some kind of message in the logs or see it in a packet capture.

    The partner is claiming that it is their ACL that is not allowing the tunnel to come up because I am not configured correctly. I disagree, which is why I'm on this forum doing a sanity check. It is my opinion that I can't even begin to verify/troubleshoot my NAT settings until after the tunnel is up. An ACL on their end is only for allowing interesting traffic into the network. Any IKE phase 1 or 2 is handled before that, usually be setting the peer in the phase 1 settings.

    I am connecting to a Cisco, by the way. Not sure of the model.

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    Im not gonna argue with you, but this is what you are doing. NAT-ing traffic over a VPN. Just because the article is using private IPs doesnt mean the underlying information is wrong.

    Anyways... if you are not even seeing IKE/ISAKMP traffic to/from their peer than something else is up. Doesn't matter what model Cisco they use, IKE/ISAKMP/IPSec are published standards.

    Sanity check: did they give you a form to fill out? Double check if you provided them the correct peer address (your X1 IP address, hopefully it's a static public IP). Double check you have entered the correct peer IP for them. Do a packet capture after verifying.

    I have had to to deal with many third parties (large Fortune 500 corporations included) for VPN tunnels and have had to do plenty of NAT over S2S VPN tunnels. A form makes it ten times easier to setup.

  • TSOL68TSOL68 Newbie ✭

    Thanks TKWITS. I don't mean to argue, just that the document talks about many-to-many nat. It was helpful enough and I verified my NAT config works on a VPN where I control both ends.

    I only see the outgoing IKEv2 requests and nothing coming back. Yes, I do have a form:

    IKE Version - IKEV2

    Encryption Algorithm - AES-256

    Hash Algorithm - SHA-256

    DH - Group5,

    PSK

    ISAKMP Lifetime - 43200

    IPSEC lifetime - 3600

    Support Aggressive Mode - Main (I only had two choices here, aggressive or main. IKEv2 uses neither)

    VPN Peer Device - X1 IP

    Encryption Domain - /32 public IP I am using for Nat


    They also shared with me some of their config:

    Current config

    crypto ikev2 policy xx

    encryption aes-256

    integrity sha256

    group 5

    lifetime seconds 43200


    crypto map vpn1 xxx match address xxxxx-ipsec

    crypto map vpn1 xxx set peer X1 IP address

    crypto map vpn1 xxx set ikev2 ipsec-proposal aes256-sha256

    crypto map vpn1 xxx set security-association lifetime seconds 3600


    tunnel-group X1 IP address type ipsec-l2l

    tunnel-group X1 IP address ipsec-attributes

    ikev2 remote-authentication pre-shared-key PSK

    ikev2 local-authentication pre-shared-key PSK


    I have read a couple of issues where the Cisco PRF was set to SHA and that was causing the issue. However, I don't see that setting on their config. Could that still be an issue?

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    Ciscos will hide some settings in the raw config file unless it is explicitly defined, so while its possible it could be part of your issue I cannot say for sure.

    At this point I would work with the 3rd party and have them run a packet capture on their device looking for traffic from mine. You have already verified your device is sending but not receiving. If their device is not receiving your packets than there is something else going on.

Sign In or Register to comment.