• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Site to Site VPN with NAT

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site to Site VPN with NAT Page: [1]
Login
Message << Older Topic   Newer Topic >>
Site to Site VPN with NAT - 14.Jun.2006 6:45:39 PM   
jse09136

 

Posts: 2
Joined: 31.Dec.2003
Status: offline
I'm needing to build a site to site IPSSec VPN from a 2004 ISA server. I'm using 192.168.1.0/26 on the LAN subnet with .53 on the LAN NIC card and a public IP on the WAN NIC. The source IP address must be in a 10.185.64.208/29 for the traffic to access the network on the other end of the PEER. While I can get the connection to work when I use the 10.185.64.208/29 subnet on the LAN side of the ISA server, I'm having trouble building NAT. I need to NAT the 192.168.1.0/26 (or any private IP subnet) to the 10.185.64.208/29 subnet for the other end of the VPN tunnel. Is this possible and if so, can you give me someone guidance on how to build the NAT?

Thanks,
Jeff

< Message edited by jse09136 -- 14.Jun.2006 6:47:39 PM >
Post #: 1
RE: Site to Site VPN with NAT - 17.Jun.2006 3:04:17 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jeff,

Just create a Network Rule that sets the NAT relationship between the source and destination Network.

Remember that if you set a NAT relationship, the non-NATed won't be able to reach the NATed Network unless you configure a publishing rule.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jse09136)
Post #: 2
RE: Site to Site VPN with NAT - 17.Jun.2006 3:54:45 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

euh... defining a NAT relationship will translate the source from 192.168.1.0/26 to whatever is assigned as primary IP address on the outgoing interface, not to an IP address of the 10.185.64.208/29 network. In fact, Jeff's question is exactly the same as my question "Source NAT before VPN tunnel" in the ISApro list.

As far as I know that isn't possible in the normal way. Maybe by using some tricks such as a loopback interface or the techniques described in Jim's challenge "Think outside the GUI challenge #1" in the ISA discussion list. It's probably better to call-in Jim and ask if he knows a magic trick to accomplish that.

HTH,
Stefaan

(in reply to tshinder)
Post #: 3
RE: Site to Site VPN with NAT - 17.Jun.2006 4:02:11 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

I think that is the case only for IPSec tunnel mode. If you use L2TP/IPSec or PPTP, its the IP address used by the virtual interface.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to spouseele)
Post #: 4
RE: Site to Site VPN with NAT - 17.Jun.2006 4:07:01 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

but it sounds to be an IPSec tunnel mode connection. So ... we are stuck!

HTH,
Stefaan

(in reply to tshinder)
Post #: 5
RE: Site to Site VPN with NAT - 17.Jun.2006 4:52:23 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Sorry - ISA NAT is limited to a "many-to-one" or "cone" NAT.
IOW, nope.

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to jse09136)
Post #: 6
RE: Site to Site VPN with NAT - 17.Jun.2006 5:03:57 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jim,

I know that 1:1 NAT isn't possible, but assuming that N:1 NAT is sufficient, can we do than the NAT before the IPSec tunnel mode?

Thanks,
Stefaan 

(in reply to Jim Harrison)
Post #: 7
RE: Site to Site VPN with NAT - 17.Jun.2006 6:06:15 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeff,

this is the answer I've got from Jim

quote:

-----Original Message-----
From: Jim Harrison (ISA)
Sent: zaterdag 17 juni 2006 17:53
To: isaserver@list.msmvps.com
Subject: RE: [ISAServer] Site to Site VPN with NAT

Unfortunately, until ISA receives the traffic from within the tunnel, ISA can't do anything with it.
The desired solution indicated that the traffic should be sourced from an IP selected according to the originating host IP.
Sourcing from a particular IP is a simple routing table trick, but it will affect all traffic *to the destination*; not from a particular source.

Jim Harrison
SASD (ISA SE)
If We Can't Fix It - It Ain't Broke!


So, we are indeed stuck...

HTH,
Stefaan

(in reply to spouseele)
Post #: 8
RE: Site to Site VPN with NAT - 24.Jun.2006 6:42:25 PM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
I am in a similar dilemma, and want to make sure that I understand what's been discussed so far in this thread...

I want to use NAT on a VPN tunnel to prevent any overlapping network issues with a client site, and to prevent the need to expose our IP Scheme to them at all...  I would like to NAT all outgoing traffic to the tunnel to so that all traffic down the tunnel comes from that IP and be able to publish services to the VPN using other IP's in the same subnet as the outside NAT IP.  Is this something I can accomplish with ISA Server 2004?

(in reply to spouseele)
Post #: 9
RE: Site to Site VPN with NAT - 24.Jun.2006 8:49:37 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tony,

as said in one of my previous posts, defining a NAT relationship will translate the source to whatever is assigned as primary IP address on the outgoing interface. That means that for outbound traffic the source address inside and outside the tunnel is the same IP address. Now for the inbound traffic, I think you should be able to publish services to the remote site users. However, I never done it before and I don't remember if I ever read an article on that subject.

HTH,
Stefaan

< Message edited by spouseele -- 24.Jun.2006 11:08:08 PM >

(in reply to tonygauderman)
Post #: 10
RE: Site to Site VPN with NAT - 25.Jun.2006 12:47:13 AM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
I will try to create in a lab environment...  I understand I have to NAT before the traffic is encrypted, just wasn't sure if I could do that.  I have worked with VPN appliances before that COULD do that, but haven't done much with ISA and VPN.

(in reply to spouseele)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site to Site VPN with NAT Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts