Results 1 to 6 of 6
  1. #1
    Untangler
    Join Date
    Feb 2009
    Posts
    32

    Default One-to-one source NATting over IPSec VPN... possible?

    Hello. I always appreciate the help on this forum. I can usually find my answer by searching, but this one evades me.

    My client is implementing some new software in April. It requires IPSec VPN which I am currently running as a trial. (7 days left)

    They have Untangle 12.2.1 with freebie apps only, and it has always been great for them in the past. I'm concerned that this is not possible with Untangle.

    I have an IPSec tunnel configured and connected. It shows as active. The host demands that we use 1 to 1 NAT for all outgoing traffic. Our internal network is 192.168.0.0/24. The host must see our network as 10.136.29.0/24, when connecting to the 172.25.24.0/22 network, which is their internal network. The remote network must see a local IP that is, say, 192.168.0.10 as 10.136.29.10 . It's not happening.

    On the IPSec Tunnels tab, I have Local Network and Remote Network set as above. It is connected and active, but we can't browse or ping.

    Under Config, Network, NAT Rules I tried to make a NAT rule of "Destination Address is 172.25.24.0/22" , NAT Type Custom, New Source 10.136.29.0/24. It won't let me do it. It will only let me enter a single IP address in the New Source.

    Cisco, Sonicwall, and Sophos firewalls are capable and supported by the host company. It seems to me that Untangle would be capable of this as well. Please help me out, and let me know if I need to go shopping for an expensive firewall that I don't like as much as Untangle!

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    You need to use multiple rules.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Feb 2009
    Posts
    32

    Default

    Oh... so a NAT rule for every connection. Not exactly what I was hoping to hear. I'll try a few and test it.

    Thanks for the info.

  4. #4
    Untangler
    Join Date
    Feb 2009
    Posts
    32

    Default

    I did successfully ping the gateway on the other side with single NAT rules created.

    So... for incoming connections, would I have to make a port forward to every destination?

    For example, a simple port forward rule with only Destination Address of 10.136.29.106 and New Destination 192.168.0.106, no port or protocols specified... I suppose a Source Address of 172.25.24.0/22 ... but I'm not sure that matters.

    There are only 19 devices total on the network, so it wouldn't kill me to do this... if it works.
    Last edited by jrobbins; 02-26-2017 at 08:21 AM.

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    If you want inbound, yes. https://wiki.untangle.com/index.php/1:1_NAT
    Also add an alias because Untangle now owns that IP.

    For the record I wouldn't suggest doing double NAT at all.
    I understand that there are often constraints to work with, but usually when you find yourself doing it, its the wrong solution.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler
    Join Date
    Feb 2009
    Posts
    32

    Default

    I guess I didn't realize this is actually a kind of manual double NAT. It's only for the VPN traffic.

    The Cisco VPN host apparently has about 400 VPN client networks, and half of them are probably 192.168.0.0, hence the source NATTING. I didn't consider adding an alias, since this is an internal IP. I would think adding an internal IP alias to an external interface would be a big no-no.

    I plan on trying it, anyway. If it works, my client gets by with paying for Untangle's IPSec VPN app. If not, I guess we're shopping.

    I'd rather add a bunch of manual entries to Untangle than change the network from 192.168 to 10.136. I don't know for sure if that would work for them either.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2