dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
477
share rss forum feed


moarsmor

@telenor.com

Inbound SNAT/DNAT

OK, we already have an IPsec VPN connection to a subnet 192.168.1.0/24, but are now introducing a new connection that is using the same IP subnet.
We will change the IP setup for the new network in a few months, but would like to have a temporary connection until then.
I would obviously need to NAT the remote subnet in the best possible way.
The remote fw/router is an astaro asg220 and the local router is an usg300.

In the Astaro I can do SNAT, but with a bit old firmware I would have to create a rule for each IP that is in that network (would make 254 SNAT rules) and fw upgrade is currently not an option.
I then looked at the inbound traffic nat in our usg300, under the IPsec rule.
I set the inbound traffic to SNAT to 192.168.12.0/24.
When doing a ping from the remote subnet to a host in our local subnet, we get no response.
I do a packet trace on the local host and see that the the icmp packet is indeed snatted to 192.168.12.X, so the setting seems to work.
But do we have to do some sort of DNAT from the SNATted IP back to the original IP to get the traffic back to the remote subnet or is this done automatically by the previously mentioned SNAT rule ?
We tried setting up a policy route that would route traffic for the SNATted subnet, to the correct VPN tunnell but with no success so far as the usg300 claims there is no rule for the SNATted subnet.
This is of course true, as the rule is set up based on the original IP subnet as the remote network.
I can also not route 192.168.1.x traffic to this rule or nat the 192.168.1.x traffic with full NAT, as it is already used for traffic to another VPN rule.

Is there any way to solve this problem besides fw upgrade/switch router at the remote site or 254 SNAT rules ?

Thanks..