IPSec DNAT not working
-
We had a prior setup on an NSX edge for a customer where they would attempt to RDP to an IP address which was listed on the remote IPsec site. It would then DNAT on RDP to an IP address on an isolated interface (isolated network is NOT on the IPsec)
This previously was setup to DNAT on 'any' interface. However it doesn't appear PFsense offer an 'any' on DNAT rules.
Wondering how we can re-create the same NAT rule but having no luck so far...
-
@matt_sharpe
Not clear, what you want to achieve here.
Maybe you can provide a drawing, which shows details, from where you want to access which device. -
@viragomann so if we imagine a simple 2 site connection via an IPsec VPN.
Site 1 = 172.16.100.0/24
Site 2 = 172.16.200.0/24Site 2 has an isolated network which we want to be able to provide RDP access to. However, we don't want this on IPsec VPN, so we're aiming to create a NAT rule which NATs an IP address on the 172.16.200.0/24 which directs to the isolated network.
The connection should look like this:
172.16.100.1 > IPsec tunnel > 172.16.200.253 (NATs to) 172.16.210.253
We achieved this on another firewall using a DNAT on 'any' interface' However no luck on PFsense as of yet.
-
@matt_sharpe said in IPSec DNAT not working:
However, we don't want this on IPsec VPN
NAT has to happen in IPSec. There is no way around.
172.16.100.1 > IPsec tunnel > 172.16.200.253 (NATs to) 172.16.210.253
You can do this in the IPSec phase 2, however:
At site 2 add an additional p 2, at
local network select Address and enter 172.16.210.253
NAT/BINAT translation select Address and enter 172.16.200.253
Remote Network select Network and enter 172.16.100.0/24 -
@viragomann Done this in our lab but no luck (generic FW rules allowing all traffic)
I assume no P2 tweaks needed on Site 1 for this....
-
@matt_sharpe Got it working, needed the Phase 1 setting "Split Connections" and an IPsec tunnel restart. Thanks @viragomann !
-
@matt_sharpe
If it's a pfSense it should work with that so far.But since both phase to have the same local network, you probably have to move the BINAT p2 to the top.
-
@viragomann This resolution does work. However the P2 tunnel (only created on the target site) is disconnecting after short periods. Even with a keep alive enabled and an IP to ping...