Mapping VPN addresses to internal LAN addresses

DavidK

I am running a network with a Cisco ASA that is providing DHCP and acting as the gateway for all of the machines on the network. For a variety of reasons, we want to replace the Cisco with a pfSense firewall. So far, we have successfully built and installed the firewall and it is connected to a separate outside IP.

We next installed OpenVPN on the pfSense and that works fine as well, except that from machines that are VPN'd in, we can only ping internal machines that use the pfSense as a gateway, not machines that use the Cisco as a gateway. This is expected since the internal LAN is 192.168.180.0/24 and the VPN addresses are 10.1.1.0/24 so they appear to be 'outside' addresses to machines on the LAN.

I would like to configure the pfSense to map the 10.1.1.x VPN addresses to internal 192.168.180.x addresses so that I can connect to the internal machines.

What is the best way to do that.

Thanks!

Derelict

A better way would be to install a route that routes traffic for the LAN served by the ASA to the ASA.  And a route in the ASA sending traffic served by pfSense to pfSense.

Vastly better than trying to do an OpenVPN bridge, which is not a recommended config.

DavidK

Thanks Derelict,

We were hoping that we could run both firewalls together for a period of time as we gradually obsolete the Cisco. The problem is that the Cisco 5505 doesn't have much horsepower and easily becomes overwhelmed in the face of attacks from China. We're working with our ISP, but that seems to be a lengthy process.

In the meantime, we need a reliable VPN to remotely access our internal machines. We have the Cisco at outside address x.x.x.74 and the pfSense at outside address x.x.x.78. So far the pfSense handles all the noise very easily.

I was hoping to "spoof" the internal machines to think that they were talking to another internal machine, even though they are actually talking to the VPN 10.1.1.1. As I mentioned in my previous post, they are all treating the 10.1.1.1 as an external address and sending outbound traffic through the Cisco.

I guess we will have to bite the bullet and just change the firewalls one late night.

Thanks for your thoughts!

Derelict

If you have an extra interface or VLAN on each firewall you just need a /30 between the two and a couple quick static routes.  Maybe a couple firewall rules. No big deal.

DavidK

Thanks! I'll check that out.

viragomann

Another easy solution is to add an Outbound NAT rule to pfSense to translate the OVPN net to LAN address:

LAN     10.1.1.0/24      *      *      *      LAN address      *      NO      OVPN NAT

So the VPN source IP is translated to LAN address when the packet go out LAN interface and responses will find the right way back. pfSense does the rest.

DavidK

Thanks viragomann!

That solution worked perfectly.