NAT/BINAT

oscar.pulgarin

I have the following problem.
I am configuring an IPsec tunnel because the one I am going to link two remote servers, at the other end they cannot place the IP of my local server 192.168.1.70 since it overlaps with another segment they have, so they ask me to carry out the nat of that IP to IP 10.10.10.12.
I am not sure where I should perform the NAT, if in the Firewall -> NAT part or if in the phase 2 part in the Ipsec tunnel in the NAT/BINAT translation part

Can you guide me a little please?

viragomann

@oscar-pulgarin said in NAT/BINAT:

at the other end they cannot place the IP of my local server 192.168.1.70 since it overlaps with another segment they have

192.168.1.0/24 is pretty a bad choice for a subnet at all.

so they ask me to carry out the nat of that IP to IP 10.10.10.12.

That's just slightly better.

If you only need this single IP set the p2:
local: address > 192.168.1.70
BINAT: address > 10.10.10.12
remote: remote subnet

oscar.pulgarin

@viragomann said in NAT/BINAT:

10.10.12
rem

This is how I currently have the configuration but I think I'm missing something because there is no traffic crossing that tunnel.

Additionally, traffic through certain specific ports should be allowed through that tunnel, where should I create the rule? IPsec? Floatin?

viragomann

@oscar-pulgarin
Do you have multiple phase 2? If so you have to move this one up.

Do you need access the remote site, or are your only expecting incoming connections?

For incoming traffic add a rule to IPSec.
For connections to the remote site, add rules to the respective incoming interface.