NAT destination into IPsec VPN
I'm used to other firewall vendors (CheckPoint, WatchGuard) and this is the first time I use PFSense because we want to implement it on AWS.
I have one main site with a CheckPoint firewall and internal network 10.1.0.0/16
AWS site with PFSense has internal network 10.2.0.0/16
One working IPsec tunnel is setup between thoses sites.
Fromp the PFSense side, I would like to NAT main site(10.2.0.0/16) to 10.3.0.0/16, so I can ping 10.3.0.1 from AWS and reach 10.1.0.1 on main site.
How must I do this?
Must I use the IPsec wizard?
It's not clear to me what does the NAT/BINAT translation.
Does it NAT the source or the destination network?
Must I use a 1-to-1 rule?
Still not clear about the source or destination NAT.
Also, about the interface:
– Is it where the NAT applies?
-- is it where the traffic must income to match the NAT rule?
-- is it where the traffic must outcome to match the NAT rule?
I'm a little bit confusing about all of this regarding to my experience with other vendors.
Can you explain it to me?
A little refresh on this post.
The topology I want to achieve is in attachment.
I tried BINAT in VPN with no success.
I also tried port forwarding, but no way to translate to a network range. Only possible with a single IP…
Can someone help me?
Could someone answer?
Is it possible with PFSense at least?
Or must I turn to enterprise solutions?
Pretty sure that NAT will have to be done on the other side.
BINAT in a phase 2 translates the network on your side as it appears to the other side. You would set up a Phase 2 for 10.2.0.0/16 to 10.3.0.0/16. They would NAT it from 10.3.0.0/16 to 10.1.0.0/16.