ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Set Public IP address for Tunnel

08.08.17   |  
‎08-08-2017 08:11 AM

I have an SSG5 which connects direct to the Internet using PPoE. So it has a static Public IP on the untrusted interface.

 

A VPN tunnel from the LAN connects to a data center in Japan.  This has been working successfully for many years.

 

Now I need to put it behind a router. This will result in the untrusted zone IP being a NAT address in the range of 192.168.1.0/24

 

As soon as I do this, I cannot connect to the servers in Japan.  The VPN tunnel, however, is up: just no data is returned.  I do know that the Japanese filter based upon my public IP address as a security precaution.

 

Acting on a hunch, I added in another router, so my network looked like this:

 

INTERNET-----59.167.x.x-ROUTER 1-192.168.1.1-----192.168.1.2-ROUTER 2-59.167.x.1-----59.167.x.x-SSG5-192.168.10.1-----LAN

 

I hope this makes sense: the Router 2 made a NAT internal network with a subnet containing my real public IP address, and assigned that to the untrusted interface on my SSG5.  This actually worked, and I could connect to the servers once again.

Obviously triple NAT is not desirable, and is a major hack! So how do I remove ROUTER 2, and tell the SSG5 to replace the 192.168.1.x address with my public address 59.167.x.x for the vpn tunnel?

 

Any advice would be much appreciated!

3 REPLIES
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Set Public IP address for Tunnel

08.08.17   |  
‎08-08-2017 09:22 AM

The traffic is sent out via the IP on the configured interface.  There is not a way of changing this.  When you made the change, did you enable nat traversal?

ScreenOS Firewalls (NOT SRX)

Re: Set Public IP address for Tunnel

08.08.17   |  
‎08-08-2017 09:27 PM

Thanks for pointing me in the right direction.

 

The only place I can see NAT Traversal is for the VPN Gateway (VPNs/AutoKey Advanced/Gateway/Edit/Advanced).

I've tried enabling that, yet it doesn't seem to make any difference: Tunnel still comes up, but no traffic. Is there somewhere else I should be enabling NAT Traversal?

ScreenOS Firewalls (NOT SRX)

Re: Set Public IP address for Tunnel

08.14.17   |  
‎08-14-2017 08:03 PM

Did NAT-T actually kick-in when you were being NAT-ed to the 192.168.x.x alone? You can verify it by checking the 'get sa' output. The port number would show 4500, instead of 500.

 

You may want to enable NAT-T on the remote peer device as well.

Regards,
Gokul