Site to Site VPN with NAT (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message


jse09136 -> Site to Site VPN with NAT (14.Jun.2006 6:45:39 PM)

I'm needing to build a site to site IPSSec VPN from a 2004 ISA server. I'm using 192.168.1.0/26 on the LAN subnet with .53 on the LAN NIC card and a public IP on the WAN NIC. The source IP address must be in a 10.185.64.208/29 for the traffic to access the network on the other end of the PEER. While I can get the connection to work when I use the 10.185.64.208/29 subnet on the LAN side of the ISA server, I'm having trouble building NAT. I need to NAT the 192.168.1.0/26 (or any private IP subnet) to the 10.185.64.208/29 subnet for the other end of the VPN tunnel. Is this possible and if so, can you give me someone guidance on how to build the NAT?

Thanks,
Jeff




tshinder -> RE: Site to Site VPN with NAT (17.Jun.2006 3:04:17 PM)

Hi Jeff,

Just create a Network Rule that sets the NAT relationship between the source and destination Network.

Remember that if you set a NAT relationship, the non-NATed won't be able to reach the NATed Network unless you configure a publishing rule.

HTH,
Tom




spouseele -> RE: Site to Site VPN with NAT (17.Jun.2006 3:54:45 PM)

Hi Tom,

euh... defining a NAT relationship will translate the source from 192.168.1.0/26 to whatever is assigned as primary IP address on the outgoing interface, not to an IP address of the 10.185.64.208/29 network. In fact, Jeff's question is exactly the same as my question "Source NAT before VPN tunnel" in the ISApro list.

As far as I know that isn't possible in the normal way. Maybe by using some tricks such as a loopback interface or the techniques described in Jim's challenge "Think outside the GUI challenge #1" in the ISA discussion list. It's probably better to call-in Jim and ask if he knows a magic trick to accomplish that. [;)]

HTH,
Stefaan




tshinder -> RE: Site to Site VPN with NAT (17.Jun.2006 4:02:11 PM)

Hi Stefaan,

I think that is the case only for IPSec tunnel mode. If you use L2TP/IPSec or PPTP, its the IP address used by the virtual interface.

Tom




spouseele -> RE: Site to Site VPN with NAT (17.Jun.2006 4:07:01 PM)

Hi Tom,

but it sounds to be an IPSec tunnel mode connection. So ... we are stuck! [:(]

HTH,
Stefaan




Jim Harrison -> RE: Site to Site VPN with NAT (17.Jun.2006 4:52:23 PM)

Sorry - ISA NAT is limited to a "many-to-one" or "cone" NAT.
IOW, nope.




spouseele -> RE: Site to Site VPN with NAT (17.Jun.2006 5:03:57 PM)

Hi Jim,

I know that 1:1 NAT isn't possible, but assuming that N:1 NAT is sufficient, can we do than the NAT before the IPSec tunnel mode?

Thanks,
Stefaan 




spouseele -> RE: Site to Site VPN with NAT (17.Jun.2006 6:06:15 PM)

Hi Jeff,

this is the answer I've got from Jim

quote:

-----Original Message-----
From: Jim Harrison (ISA)
Sent: zaterdag 17 juni 2006 17:53
To: isaserver@list.msmvps.com
Subject: RE: [ISAServer] Site to Site VPN with NAT

Unfortunately, until ISA receives the traffic from within the tunnel, ISA can't do anything with it.
The desired solution indicated that the traffic should be sourced from an IP selected according to the originating host IP.
Sourcing from a particular IP is a simple routing table trick, but it will affect all traffic *to the destination*; not from a particular source.

Jim Harrison
SASD (ISA SE)
If We Can't Fix It - It Ain't Broke!


So, we are indeed stuck...[:(]

HTH,
Stefaan




tonygauderman -> RE: Site to Site VPN with NAT (24.Jun.2006 6:42:25 PM)

I am in a similar dilemma, and want to make sure that I understand what's been discussed so far in this thread...

I want to use NAT on a VPN tunnel to prevent any overlapping network issues with a client site, and to prevent the need to expose our IP Scheme to them at all...  I would like to NAT all outgoing traffic to the tunnel to so that all traffic down the tunnel comes from that IP and be able to publish services to the VPN using other IP's in the same subnet as the outside NAT IP.  Is this something I can accomplish with ISA Server 2004?




spouseele -> RE: Site to Site VPN with NAT (24.Jun.2006 8:49:37 PM)

Hi Tony,

as said in one of my previous posts, defining a NAT relationship will translate the source to whatever is assigned as primary IP address on the outgoing interface. That means that for outbound traffic the source address inside and outside the tunnel is the same IP address. Now for the inbound traffic, I think you should be able to publish services to the remote site users. However, I never done it before and I don't remember if I ever read an article on that subject.

HTH,
Stefaan




tonygauderman -> RE: Site to Site VPN with NAT (25.Jun.2006 12:47:13 AM)

I will try to create in a lab environment...  I understand I have to NAT before the traffic is encrypted, just wasn't sure if I could do that.  I have worked with VPN appliances before that COULD do that, but haven't done much with ISA and VPN.




Page: [1]