Nat Reflection Question, on IPEC.



  • I have 2 servers which I need to access from outside one Citrix on Mail Server, I can access both fine Internally I can also access these servers via their EXT IP address only after I checked "Disables the automatic creation of additional NAT 1:1 mappings for access to 1:1 mappings of your external IP addresses from within your internal networks. Note: Reflection for 1:1 NAT might not fully work in certain complex routing scenarios."  This works on the internal network (192.168.1.) which locally has the servers I am trying to access in this domain.  My remote shared domain connected via IPSEC (192.168.2.) I can't access the ext IP address of the (192.168.1.*) domain.  therefore my mail.mydomain.com will not work in the (192.168.2.) domain i therefore need to use the lan ip address which works but when a laptop user leaves the building and connects externally they then need to change the ip to the ext address.  I had this issue on my 192.168.1. domain but this was fixed by selecting "Disables the automatic creation of additional NAT 1:1 mappings for access to 1:1 mappings of your external IP addresses from within your internal networks. Note: Reflection for 1:1 NAT might not fully work in certain complex routing scenarios." unfortunately selecting this on my (192.168.2.**) domain  it doesn't work.

    Also I see in my system logs of my PFSENSE in my 192.168.1.*** domain the ext address of the 192.168.2.** domain is being blocked yet I have fully opened the connection allowing all incoming from this particular ip.  Does anyone have any insight on this? I thought that finding a fix to this situation on the local lan would have a similar fix for the remote IPSEC lan but this isn't the case.

    Thank You.



  • Reflection does not work for IPsec hosts, in most all configurations the public network isn't even sent over the VPN so it's not needed, unless you're routing everything over the VPN (is that the case?). Sounds like you may have to have split DNS in that setup, or maybe you're misunderstanding what's going on.



  • Thank you for your reply.  I admit I am misunderstanding what's going on.

    I'll try to explain this a little better since I think my 1st port was too long and not easy to understand.

    (Domain A 192.168.1.1)    Shared to  & VPN Via IPSEC      (Domain B 192.168.2.1)
    ext Ip 70.25..                                                        ext ip 50.54..
    Citrix & Mail on Domain A

    Domain B can't reach Domain A if using the ext IP but can speak using internal IP 192.168.1**

    Domain A was only to contact itself using the ext Ip once I selected. "Disables the automatic creation of additional NAT 1:1 mappings for access to 1:1 mappings of your external IP addresses from within your internal networks. Note: Reflection for 1:1 NAT might not fully work in certain complex routing scenarios."

    This did not work for domain B

    "Reflection does not work for IPsec hosts, in most all configurations the public network isn't even sent over the VPN so it's not needed, unless you're routing everything over the VPN"

    To my knowledge not everything is routed over the VPN, when users browse they are browsing through their local ISP, When I run speed tests or ip lookup in Domain B their IP is displayed (I'm assuming this would let me know)

    Sounds like you may have to have split DNS in that setup

    Can you explain this a little further this may be the case but if you can provide me with a little direction I'll understand what to change.

    Thank You for the advice.

    I think you alread understand my issue but I wanted to make it a little clearer.


Log in to reply