New IPSEC tunnel with NAT: 1-way traffic



  • I've done this before but can't see what I'm missing this time. Occasionally we have clients that work with a vendor that requires an IPSEC tunnel to their location but NAT must be set up on the tunnel. We've established the tunnel and it shows as up. We can ping their network but they are unable to reach devices inside our network. The setup is as follows:

    LAN IP: 192.x.x.x
    NATTED IP: 100.x.x.x
    Remote IP: 10.x.x.x

    If we ping from our 192.x.x.x range to an IP in their 10.x.x.x range, we get replies. If they ping us, they get no response. If watch a packet capture I get:
    IP 192.x.x.x > 10.x.x.x: ICMP echo request, id 42327, seq 0, length 64
    IP 10.x.x.x > 100.x.x.x: ICMP echo reply, id 42327, seq 0, length 64

    Could it be that the NATted IP they gave us is a Public IP and not a Private IP?



  • @Stewart

    Well, I guess 100.64.0.0/10 isn't public after all. You learn something new every day! What's odd is that adding the appropriate firewall rule allowed the traffic to cross but I don't see anything logged in the firewall logs to show that the firewall is what stopped the communication.


Log in to reply