NAT through IPSEC VPN help please

  • I've really done quite a bit of research and brute force combinations trying to get this to work. I guess I just simply don't know what I'm doing.

    A vendor has asked me to establish a full time IPSEC VPN with them to allow them access to their robot for software maintenance. I've managed establish the Phase 1 Phase 2 link. That part works.

    We need to connect them to me, and what I've been given is as follows:

    • Vendor encryption domain: (they'll be connecting from several IP's to get to one asset)
    • Our encryption domain: (I'm assuming that this is their alias for the next item)
    • The robot end point that they are reaching: (this is on our LAN)

    Can anyone please tell me how I can get their multiple sources to connect to our robot, via the encryption domain, which is a different IP than our LAN address? I'm assuming that the flow is Vendor Encryption domain –> Our encryption domain --> Our LAN address.

  • I would start with making sure nat traversal is on. If they are using the same encryption credentials, then you might have to allow multiple connections. Also, if you have not done this already, go to Firewall -> Rules -> IPSEC and create an allow for the asset. Like source -> any, source ports -> any, destination -> asset, destination port -> any.

  • Thanks for your assistance. A rule allowing all IPSEC traffic is in place. Should I be creating a 1:1 NAT?

    Would a 1:1 with external of, and internal of, and a destination of work in this case?

Log in to reply