Equipment to NAT traffic through VPN tunnel

[seunghwaz]

Hello.

I'm setting up a VPN IPSec tunnel with another company, and they will only allow all of the traffics from my side to be NAT'ed to my public IP. I currently have RV082, and was able to successfully connect the tunnel, but all of my traffics are going through as my local IP. I need a device that can NAT traffics that will go through VPN tunnel.

Could someone please recommend me a VPN router that can do this? It's for a small office (<10 workstations).

Thank you.

 

[horndog]

SonicWall is geared towards small business and offices. If you want a bit more powerful one you can look into WatchGuard as well.

 

[Valnar]

They want your public IP, the same IP that is used to terminate the VPN tunnel, to be all they see through the VPN? Hmm. I know you can do it with two public IP's, but you'll have to NAT before IPSEC. A Cisco ASA can do this. 'Not quite sure with a single IP.

 

[mattjw916]

Create a loopback interface on your WAN router (using your public address for it) and terminate the IPSEC tunnel on it. Then use NAT overload (PAT) to obscure your internal addresses using the loopback interface as the overload address.

It's pretty easy to do on just about any Cisco router or ASA firewall.

If you only have 1 public IP and it is serving as the "external" interface address of the router/firewall then just terminate the tunnel there and define an ACL to match traffic that you want to have passed through the tunnel.

 

[seunghwaz]

I found this searching through web. Does this make sense to you guys? I'm looking to purchase the cheapest ASA5505. Would this be able to do this also? Thank you.

I couldn't find any clear information on the Internet about this, so I thought I would outline it here. Say you have to setup a LAN-to-LAN VPN to a third party who can't accept traffic from the subnet you have created on your internal network because your network overlaps with theirs, or as in my case, they just want one address coming over to their network. The answer is to NAT that VPN traffic using a non-overlapping IP address.

Let's say we have the following parameters:

Your Network: 172.20.30.0/24
Their Network: 172.20.31.0/24
Host you need access to on the other side: 172.20.31.110

Simplistic example but you get the idea. You need to access the host address above to run a certain application. The 3rd party also provides you with the address they want you to use for your NAT.

IP Address Provided by 3rd Party: 192.168.35.17

OK so you know you have to make all of your traffic look like it is coming from 192.168.35.17 to make this VPN work, but the question is how. This is where I got stuck. There are very few articles on the web that deal with this situation and I had to end up piecing the eventual answer together from several different articles. But here you go:

First, create an access-list that will allow your traffic coming from your network to access the host on the 3rd party network

access-list VPN permit ip 172.20.30.0 255.255.255.0 host 172.20.31.110

Next, create an access-list that will allow the NAT address to access the host on the 3rd party network

access-list VPN_NAT permit ip host 192.168.35.17 host 172.20.31.110

Now create a NAT statement that flags traffic coming from your network heading to the 3rd party host

nat (inside) 20 access-list VPN

Next create a GLOBAL statement that NATs the traffic flagged as interesting in the above statement into the address provided by the 3rd pary

global (outside) 20 192.168.35.17

Finally create a crypto map statement in your VPN configuration that flags the necessary traffic as interesting so the VPN knows when to start

crypto map testmap 120 match address VPN_NAT

 

[mattjw916]

There are a lot of commands missing from the example above (IKE negotiation parameters and the site-to-site tunnel config for example) but that covers it at the conceptual level.

Make sure the ASA you are buying has the appropriate crypto license so that the protocols match on each side, i.e. SHA1/AES negotiation which is pretty common now.

Assuming the hardware on each side is working you need to first build the tunnel, make sure all the routes are in place and then define the NAT inside and outside rules as outlined above using an ACL to define which traffic needs to be NAT'd and tunneled.

 

[seunghwaz]

There are a lot of commands missing from the example above (IKE negotiation parameters and the site-to-site tunnel config for example) but that covers it at the conceptual level.

Make sure the ASA you are buying has the appropriate crypto license so that the protocols match on each side, i.e. SHA1/AES negotiation which is pretty common now.

Assuming the hardware on each side is working you need to first build the tunnel, make sure all the routes are in place and then define the NAT inside and outside rules as outlined above using an ACL to define which traffic needs to be NAT'd and tunneled.

Thank you for the license reminder, too. Did not occur to me to check it. I hope this works.