IPSec and NATting a client



  • I currently host my network in Amazon's AWS VPC service.  I have a client that needs to connect in to just a MySQL(port3306) server.  We have the IPSec tunnel up and working, but I needed to use a different subnet on the inside (172.16.23.0/24) on the IPSec connection because we both use 10./8 for internal subnets.

    My networks
    External DMZ: 10.10.10.0/24
    Internal Subnet used for client NAT: 172.16.23.0/24
    pfSense Firewall/VPN Internal IP: 10.10.10.212
    Internal Subnet: 10.10.23.0/24 (where I want to let
    MySQL Server: 10.10.23.37:3306

    Client Networks:
    Internal Subnets: 192.168.193.0/24, 10.158.159.0/24

    How would I create a rule/NAT/etc that would allow any of their hosts to connect to the MySQL server, but nothing else?  I was hoping to NAT 172.16.23.1 directly to 10.10.23.37 and only allow access to port 3306.



  • Did you look at the BINAT settings under the phase2?



  • So I added 10.10.23.0/24 to the NAT/BINAT in the IPSec config and the client still cannot access 10.10.23.37:3306 via 172.16.23.1:3306



  • You have to nat the phase 2 directly- if your local network is 10.10.23.0/24 and you wanted to masquerade it as 172.16.23.0/24, you would enter  172.16.23.0/24 as the BINAT network. You would then present 10.10.23.37 as 172.16.32.37 If you want to do a single host, enter 10.10.23.37/32 as local and 172.16.23.1/32 as BINAT. Other than that, check the firewall rules on both sides.



  • I finished setting it up this way.  Now on the database server I can see (via tcpdump) the client sending the request, but it's coming as their private subnet.

    I changed our local subnet 10.10.23.0/24 and NAT/BINAT as 172.16.23.0/24.  I'm ok with a one to one (.1 to .1, .2 to .2, etc) NAT but I need to hide their source IP and have it appear as the 172. subnet



  • I'm not understanding some part of this. If their side needs to come in as something different, you have to nat on their side. Your BINAT masquerades your network as something else. I thought you were making your 10.x appear as 172.x so they could connect…



  • Correct, I do not want them to know about anything 10.x.x.x on my side because they also use 10.x.x.x on their side.  So, I wanted to create a 172.x.x.x subnet that they could connect to and it would get forwarded to the proper 10.x.x.x host on our side.

    The way I have the tunnel working is the 172 subnet is the internal subnet on our side, so I want to figure out how I can NAT that to the 10 subnet on our side.



  • I'm hoping this clears things up.

    Client (192.168.193.0/24, 10.158.159.0/24) -> Client VPN/FW (Y.Y.Y.Y) <-> Our VPN/FW (X.X.X.X/10.10.10.212,172.16.23.0/24) <-> Our Server (10.10.23.37/24)

    Client's IP is 192.168.193.0/24 or 10.158.159.0/24, we want them to connect to 172.16.23.37 (our side of VPN) but have that NAT'd to the real server of 10.10.23.37.  We created the IPsec tunnel with 2x phase 2 connections (one for each of their subnets).  We want to use the 172 subnet and not even know about the 10 subnet because we both use various parts of the entire 10.x.x.x subnet and there are conflicting subnets.  So if I can have them talk to 172 and proxy that.  Here are my settings

    Phase 2 (192.168.193.0)
    Mode: Tunnel IPv4
    Local Network: 10.10.23.0/24
    Local BINAT: 172.16.23.0/24
    Remote Network: 192.168.193.0/24

    Phase 2 (10.158.159.0)
    Mode: Tunnel IPv4
    Local Network: 10.10.23.0/24
    Local BINAT: 172.16.23.0/24
    Remote Network: 10.158.159.0/24

    No other Interfaces, Rules, NAT, Virtual IPs, Aliases than the standard ones that come when the Amazon AMI for pfSense was launched.



  • Seems like it should work. Their (client's) phase twos should be:
    local: 192.189.193.0/24
    remote: 172.16.23.0/24
    and
    local: 10.158.159.0/24
    remote: 172.16.23.0/24
    Try with your IPSec rules full open, restrict to the sql server after you get it working.



  • Ok thanks.  I'll have the client check their side.  Also, the BINAT will map

    172.16.23.1 to 10.10.23.1
    172.16.23.2 to 10.10.23.2

    172.16.23.254 to 10.10.23.254

    correct?



  • @mattboston:

    Also, the BINAT will map

    172.16.23.1 to 10.10.23.1
    172.16.23.2 to 10.10.23.2

    172.16.23.254 to 10.10.23.254

    correct?

    Yes, that is correct.


Log in to reply