Tunnel to Remote Hosts with Public IP addresses?

I need to set up a VPN tunnel to a vendor with 1to1 NAT.

I am having trouble getting the routing to work. Phase 1 is working but I can't get traffic to flow.

The vendor has given me a NAT base to use for the 1 host they need access to. It is a 10.255.x.x. My trusted interface is using 192.168.x.x.

I need 192.168.x.x to NAT to 10.255.x.x then go through the tunnel and access 2 remote hosts that have Public IPs.

Is it possible to do this without using a BOVPN interface? I am wondering if the problem is that the IPs behind the remote VPN gateway are Public.

If it is possible how would I force the traffic to go through the tunnel?

When running diagnostics I get 1-1NAT Invalid Address Type(0)

Comments

  • FYI - no need to xxx out private IP addrs.
    Since they are private, showing them does not incur any security risk.

    Have you specified the 2 public IP addrs on the BOVPN Tunnel settings in the Remote section, AND specified the 1-to-1 NAT on that BOVPN Tunnel setting ?

  • Review this if you have not already done so:
    Configure 1-to-1 NAT Through a Branch Office VPN Tunnel
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_use_1to1_nat_c.html

  • @Bruce_Briggs I have set the Public IPs that I am trying to reach via the tunnel into the Remote section and set the desired NAT Address in the 1-to-1 section.

    Would the Public Addresses be causing the 1-1NAT Invalid Address Type(0) error?

    When I try to access these Public Addresses the traffic does not go through the tunnel.

  • No idea off hand.
    How are you running diagnostics?
    Web UI, or ?? Where?

    What Fireware version are you running?

    How are you testing the BOVPN? A tracert from one of the 192.168.x.x addrs in the Tunnel Local settings to one of the public IP addrs?

    You can turn on Logging on whatever policy is allowing traffic over the BOVPN, such as a bovpn.out policy.
    If it is being used then I would expect that it should show any NATing happening.

  • Diagnostics from the web ui. Version is 12.8.2

    Yes running a tracert.

    The NATing is not happening. The tunnel is not being used.

    Maybe a virtual interface is the only way to do this. I have sent the vendor the documentation for that but figured I'd ask here in case there was something I am missing.

    Thank you for your input @Bruce_Briggs

  • If you have a support contract for your firewall, consider opening a support case on this.

  • And, as suggested in the post you recently looked at, try changing your Tunnel settings - 1 for each public IP addr, and see if that changes anything.

    https://community.watchguard.com/watchguard-community/discussion/2761/bovpn-to-vendors-network-t-40-cisco-asa-5525#latest

  • Figured out the problem.

    I had the tunnel routes set to:
    192.168.0.12<=>Vendor IP #1
    192.168.0.12<=>Vendor IP #2

    The watchguard didn't like that.

    Had to use:
    192.168.0.12 =>Vendor IP #1
    192.168.0.12<= Vendor IP #2

    Thank you @Bruce_Briggs and @thejohncarlson !
    I am new to watchguard and your responses were helpful.

  • Had you tried this?

    192.168.0.12<=>Vendor IP #1, Vendor IP #2

  • @Bruce_Briggs yes I tried that using a range to specify the 2 remote IPs but the tunnel wouldn't establish with that setup.

Sign In to comment.