NAT after IPSEC



  • I have a client that is passing only a single subnet down an IPSEC tunnel. That is working great but I need them to access a resource in a different VLAN.  I would like to simply direct them to an IP inside the subnet they have setup and NAT all traffic to the IP of the resource in the other VLAN.  I tried setting up a Virtual IP and a 1:1 NAT but that doesn't appear to be working.

    Any suggestions at how to implement this would be greatly appreciated.

    Some crude visuals:

    Remote: 10.25.1.0/24 <-> IPSEC <-> Local: 10.25.2.0/24

    Local IP: 10.25.2.200 1:1 NAT to 172.16.10.200 thus allowing 10.25.1.0/24 to access the server that resides at 172.15.10.200 by locally accessing 10.25.1.200.



  • I've got the exact same problem, only 1 subnet through the IPSEC-tunnel, and trying to use a 1:1 NAT to reach resources on a different subnet.

    Anyone know if this is possible? I think the main problem that it is not working, is that the source of traffic from the 'other side' is not a subnet-interface, but the IPSEC-interface. In het NAT-rule you can't select the IPSEC-interface, so the traffic is never matched against this 1:1-rule.


Log in to reply