Static NAT not working through site to site VPN

[robert58]

Hallo firewall experts,

I have been reading the articles concerning site to site VPN's and NAT and have not been able to find resource that might help me with a NAT and VPN problem I'm having.

Our situation is that we have a site to site VPN to a external partner and a leased line to a second external partner and our environment in the middle.
Partner1 <==site2site==> Our FW <== leased line ==> Partner2

The normal traffic flow is from Partner1 to either our environment or sometime to partner2, the traffic to parnet2 is first decrypted and then forwared via hiding NAT, this all works fine :-) Partner1 has no NATing through the VPN.
The problem that I have is when traffic that comes from Partner2 to Partner1. I have a static Nat that looks like this.

src. Partner2 --> dst. public address -->ser. any || src. original --> dst. staticIP Partner1 --> ser.any

I can see that the nat works fine in the logs. The problem is that the dst. static IP Parner1 is part of the VPN domain and should be encrypted. This does not happen.

I have tried to reproduce this by using a DMZ server as the Partner2 with static NAT and try to reach partner1. I have access to partner1 firewall and no access to partner2.


This is DMZ server talking to the NAT address, I see that after the NAT the traffic left the external interface and was NOT encrypted.

[fw_0] eth5:i[84]: 194.37.61.48 -> 194.37.66.142 (ICMP) len=84 id=35509
ICMP: type=8 code=0 echo request id=5205 seq=0
[fw_0] eth5:I[84]: 194.37.61.48 -> 192.168.1.130 (ICMP) len=84 id=35509
ICMP: type=8 code=0 echo request id=5205 seq=0
[fw_0] eth2:o[84]: 194.37.61.48 -> 192.168.1.130 (ICMP) len=84 id=35509
ICMP: type=8 code=0 echo request id=5205 seq=0
[fw_0] eth2:O[84]: 194.37.61.48 -> 192.168.1.130 (ICMP) len=84 id=35509

This is the DMZ server speaking directly with the Partner1 address, this works and is being encrypted. :-)

[fw_0] eth5:i[84]: 194.37.61.48 -> 192.168.1.130 (ICMP) len=84 id=6788
ICMP: type=8 code=0 echo request id=5610 seq=0
[fw_0] eth5:I[84]: 194.37.61.48 -> 192.168.1.130 (ICMP) len=84 id=6788
ICMP: type=8 code=0 echo request id=5610 seq=0
[fw_0] eth2:o[84]: 194.37.61.48 -> 192.168.1.130 (ICMP) len=84 id=6788
ICMP: type=8 code=0 echo request id=5610 seq=0

Any help would be much appreciated or if I have missed a reference or a previous post please a short reference.

Many thanks
Robert

[northlandboy]

If I've followed it through properly, your problem is encryption domains. I think that public IP address being NATted to Partner 2 needs to be in your encryption domain.

NAT and encryption domains can get a bit messy. I think it's just that one that's not right, since P1->P2 is working OK.

[ShadowPeak.com]

Quote:

The problem is that the dst. static IP Parner1 is part of the VPN domain and should be encrypted. This does not happen.

Part of which VPN domain? If I'm understanding you correctly the dst. public address needs to be in the VPN domain of the object representing partner1, and not in your own firewall's VPN domain. You *might* also need to include the dst. staticIP Partner1 as part of partner1's VPN domain as I can't remember if NAT occurs prior to encryption or not.

[robert58]

Quote:

Originally Posted by northlandboy

If I've followed it through properly, your problem is encryption domains. I think that public IP address being NATted to Partner 2 needs to be in your encryption domain.

NAT and encryption domains can get a bit messy. I think it's just that one that's not right, since P1->P2 is working OK.

Hallo Northlandboy. The NATted public address is in the encryption domain. thx anyway. This really looks a bit messy..

[robert58]

Quote:

Originally Posted by ShadowPeak.com

Part of which VPN domain? If I'm understanding you correctly the dst. public address needs to be in the VPN domain of the object representing partner1, and not in your own firewall's VPN domain. You *might* also need to include the dst. staticIP Partner1 as part of partner1's VPN domain as I can't remember if NAT occurs prior to encryption or not.

Hallo ShadowPeak, The dst. public adress is part of mine VPN Domain, I have just tried also adding it to the VPN domain of Partner1. Didnt work, still just having the address NATted and not entering the encryption domain for Partner1. Thx for the idea anyway. cheers

[robert58]

Success, Success. Thx ShadowPeak & Northlandboy, you got me going in exactly the right direction, I added the the dst.public address to the partner1 manually defined VPN topology, created a group. The removed the public NAT address from our VPN domain, the i turned on the NAT inside the VPN community under advanced VPN properties for Partner1.

Thx to all for the support and the CPUG

cheers
r

[ShadowPeak.com]

Excellent, thanks for the follow up report.