Inner NAT thru IPsec tunnel won't establish connection, confused about gateway



  • Hi,

    I'm trying to gather some servers in an inner sanctum, use NAT to hide them, and permit other locations (stores) that are connected with this location (offices) thru secure tunnels to have access to very limited services thru the tunnel and NAT mappings of an inside firewall.

    LAN is 192.168.0.0/16 and has a tunnel to another location at 192.168.30.0/24.  I need to put some servers within an inner LAN (CDE for PCI compliance) and am trying to put it at 192.168.1.112/32 with its inner LAN being 192.168.1.130/24.

    So when I try to establish a connection from a host in the remote location to VNC within the fortress, for example, with a NAT rule to map .1.112:5900 in to .130.112 I get a crossed up pair of states, and no session:

    tcp 192.168.30.7:3309 -> 192.168.130.112:5900                                 ESTABLISHED:SYN_SENT
    tcp 192.168.130.112:5900 <- 192.168.1.112:5900 <- 192.168.30.7:3309 SYN_SENT:ESTABLISHED

    We've got pfsense firewalls throughout so here's the time to also say thanks to the whole community.  It's the first problem I've had to post.

    I've looked thru all the advanced options and Googled the heck out of it, and I'm past my level of knowledge.  Can anyone help with a hint or point me in a direction?

    Thanks,



  • The subnet specified for the WAN side of the inner firewall should have been 192.168.1.0/24.  Once I fixed that, all is well.  Problem fixation.

    Thanks to all,


Locked