ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 2
Registered: ‎08-08-2017
0 Kudos

Set Public IP address for Tunnel

I have an SSG5 which connects direct to the Internet using PPoE. So it has a static Public IP on the untrusted interface.

 

A VPN tunnel from the LAN connects to a data center in Japan.  This has been working successfully for many years.

 

Now I need to put it behind a router. This will result in the untrusted zone IP being a NAT address in the range of 192.168.1.0/24

 

As soon as I do this, I cannot connect to the servers in Japan.  The VPN tunnel, however, is up: just no data is returned.  I do know that the Japanese filter based upon my public IP address as a security precaution.

 

Acting on a hunch, I added in another router, so my network looked like this:

 

INTERNET-----59.167.x.x-ROUTER 1-192.168.1.1-----192.168.1.2-ROUTER 2-59.167.x.1-----59.167.x.x-SSG5-192.168.10.1-----LAN

 

I hope this makes sense: the Router 2 made a NAT internal network with a subnet containing my real public IP address, and assigned that to the untrusted interface on my SSG5.  This actually worked, and I could connect to the servers once again.

Obviously triple NAT is not desirable, and is a major hack! So how do I remove ROUTER 2, and tell the SSG5 to replace the 192.168.1.x address with my public address 59.167.x.x for the vpn tunnel?

 

Any advice would be much appreciated!

Highlighted
Distinguished Expert
Posts: 682
Registered: ‎06-22-2011
0 Kudos

Re: Set Public IP address for Tunnel

The traffic is sent out via the IP on the configured interface.  There is not a way of changing this.  When you made the change, did you enable nat traversal?

Visitor
Posts: 2
Registered: ‎08-08-2017
0 Kudos

Re: Set Public IP address for Tunnel

Thanks for pointing me in the right direction.

 

The only place I can see NAT Traversal is for the VPN Gateway (VPNs/AutoKey Advanced/Gateway/Edit/Advanced).

I've tried enabling that, yet it doesn't seem to make any difference: Tunnel still comes up, but no traffic. Is there somewhere else I should be enabling NAT Traversal?

Recognized Expert
Posts: 425
Registered: ‎09-18-2012
0 Kudos

Re: Set Public IP address for Tunnel

Did NAT-T actually kick-in when you were being NAT-ed to the 192.168.x.x alone? You can verify it by checking the 'get sa' output. The port number would show 4500, instead of 500.

 

You may want to enable NAT-T on the remote peer device as well.

Regards,
Gokul