Tunnel with VIP NATed to local IP



  • Hi

    I have configured an IPSEC tunnel between a pfSense 2.0 box on my side and a Cisco router on the customer's side:

    My Local IP 192.168.32.100/32 <-> local pfSense (WAN 82.10.20.30)<-> remote pfSense (WAN 92.10.20.30) <-> Customer's remote IP 10.1.1.100/32

    Obviously the IP addresses 82.10.20.30 and 92.10.20.30 are not the real one.
    The tunnel worked without any problem up to now.

    The problem is the following. The Customer told me that their security policies do not permit anymore to use the private networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 as remote subnets for the tunnel.

    He asked me to use another public IP as remote LAN and to NAT that IP to the internal IP.
    This is what he did on his side:

    My remote IP <-> my pfSense <-> remote pfSense (WAN 92.10.20.30) <-> remote IP 92.10.24.53 -> NAted to IP 10.1.1.100

    In other words, when I open a RDP connection to the remote IP 92.10.24.53, the connection is forwarded to 10.1.1.100.

    I have one more public IP available (82.10.20.31), but I do not figure out how to do it on my side.

    1. Do I have to create a Virtual IP on the WAN interface for my second public IP? If so, do I have to choose "Proxy ARP" or "IP Alias"?
      It seems that I cannot use the WAN interface as my Local network. In fact, if I go to the Status -> IPsec page, I am not able to start the tunnel. There is not the "play" icon.

    2. Once the tunnel is UP, how do I forward all the traffic from 82.10.20.31 to the local IP 192.168.32.100? I am very confused on understanding what rules I have to work with (WAN, LAN, IPsec?) together with the NAT 1:1 configuration.

    I have tried in many ways but without success.
    Any help will be appreciated
    Thanks in advance

    Mike


Locked