Policy-based VPN and NAT (MIP)



  • Hi all.

    I’m trying to troubleshoot a problem. My goal is to receive connections over a VPN and NAT them to an internal IP. The incoming connections have a given destionation ip address, so I’m using that one to translate it to an internal one. The IP packets come out of the tunnel with a destination IP of, say, 10.1.0.1 - so I must translate that to an internal address.

    I understand how it works theoretically but I’m having difficulty piecing the Netscreen components together.

    What I’ve done:

    • configured IKE (ph1 and ph2 proposals)

    • created a tunnel interface tunnel.2, which :

      • Has a fixed ip address (say, 10.1.0.2/30)

      • Is bound to a security zone (untrust), since this is what you need for nat, says the manual - p. 4-125

      • Has a mapped ip 10.1.0.1 pointing to, say, the host 10.0.0.33

    • Created the policy, or at least: tried to, which should allow inbound connections over the tunnel to the mapped IP. I put this in:

      • From the source range of the IP addresses on the other side of the vpn tunnel (untrust)

      • to the mapped IP (global zone)

      • action: tunnel

      • tunnel vpn: my ph2 proposal

      • The service remains set to “any”

      This gives me this error:

      VPN policy with MIP requires VPN bind to corresponding tunnel zone.
      
      vpn invalid or not exist.
      

      So I can solve the error by binding the vpn tunnel (PH1 proposal, advanced) to a tunnel zone untrust-tun) which allows me to create the policy. But, I guess I have to put the tunnel interface in that zone too? I find this confusing, since - if I understood the documentation - it should be possible to put a (numbered) tunnel interface in a security zone and support policy-based NAT this way, or am I wrong and is it really like this:

      • If you want NAT at the endpoint of a VPN tunnel, routing based vpn means having a tunnel interface in a security zone and vice versa

      • If you want NAT at the endpoint of a VPN tunnel, policy baced VPN’s means having a tunnel interface in a tunnel zone and vice versa

      ??


 

33
Online

38.4k
Users

12.7k
Topics

44.5k
Posts