site to site VPN connection, allowed traffic, and NAT issue

[dalearyous]

so, you have corp office on a 10.10.0.0/16 network, you have a branch office on a 172.16.254.0/24 network, and that branch office has an interface on the firewall configured to talk to a separate vendors devices on a 192.168.100.0/24 network. you setup static NAT to basically NAT a device on the 192 network to an IP on the 172 network. you can ping and talk to the devices just fine if you are at the branch office. however, pinging the device from the corp office does not work.

do i have to allow the 192 traffic through the tunnel? in my mind the answer is no, because the NAT translation is happening at the branch office and sending the traffic along. so just because the tunnel is configured to only allow 10.10.0.0/16 <-> 172.16.254.0/24 it shouldn't be dropping the 192 traffic because the NAT has changed the header ... ?

 

[Nicklebon]

Questions.

1. Do you see the traffic getting dropped? If so where?
2. Does the device on the 192.168.100.0 network have a return route to your corp network?

 

[dalearyous]

1. we do not see the traffic getting dropped
2. the device on the 192.168.100.0 network does not have a route to our corp network.

the vendor is claiming that the route is not necessary and being stubborn about changing their config. that was my initial thought too. except wouldn't pinging anything on the 192.168.100.0 network not work at all if it was a route issue? because it does work if you ping a 192 device from a 172 device that is at the local branch.

 

[Nicklebon]

The devices on 192.168.100.0 must know how to get to the 10.10.0.0.network. Please note that can be via a default route so long the default route has a correct route. Further the VPN tunnel has to be configured for 10.10.0.0/24 as well OR you need to NAT your 10.10.0.0 sources as 172.16.254.0 sources. If you NAT the 10.10.0.0 sources to something on the 172 then all the work will be your equipment and you can leave the vendor out of it. Personally I would keep things simple and configure the VPN tunnel so that the correct SAs are built and add the correcting on the other side of the tunnel. Unless there a good reason to over tech the plumbing don't.

 

[Cmustang87]

1.) Even though you have a SNAT for all devices on the 192.168.100.0/24 network to be translated to something on the 172 network, that doesn't resolve how traffic from the 10.10.0.0/16 network can get there. You will need to have a static route on your corp router that says Destination 192.168.100.0/24 to use a gateway that exists on the router that has that network connected, or some other router in the middle that can route you there. As the above poster said, you will also need a static route on the other router for traffic to return.
2.) You can have traffic flow between the 172.16.254.0/24 network and the 192.168.100.0/24 network because both of those networks are direct attached to the same router. Static routes are not required in this case.
3.) If this is a VPN, you will need to have access rules and also NAT working properly for traffic to flow between the two.

A few ninja edits.