Many to many NAT with uneven IP-Pools
Hey there!
Issue:
As the title reads I'm struggeling with migrating a policy based IPSec-Tunnel over to my new Firebox (Modell T-45) from the previous firewall (Sonicwall). Currently, the local subnet 10.10.111.0/24 gets mapped via NAT to a smaller subnet 10.10.112.0/28.
The IPSec-Tunnels SAs provide this smaller subnet on the local side of the tunnel, while adressing several subnets, as well as host adresses, on the remote end.
While the current firewall seems to be able to map uneven networks via NAT, I can't find a similar option on the Firebox. Trying to configure 1:1-NAT via the BOVPN-Tunnel throws an error stating that subnets mustn't be of different sizes, while using dynamic NAT is just masquerading the source IP of all clients to a single source IP, which could serve as a workaround, but wouldn't be as desireable.
Question:
Am I missing something, or is there just no way to achieve a NAT-mapping between a /24 and a /28 subnet apart from masquerading?
Visual overview:
I could of course rearrange the VPN-connection into a route-based type using VTIs and more suitable networks and there's a good chance I just do that. But I'm curious if I overlooked something.
I'll appreaciate every answer from you guys, thanks in advance.
**Please mind, that the IP-Addresses provided are just placeholders for the real ones
Comments
Hi @Pfennigfuchs
1-1 NAT will only work sequentially via a subnet of the same size.
It may be possible to set up specific /32 individual tunnels provided the opposite side isn't expecting a single /28 tunnel. You would need to create a standard BOVPN gateway/tunnel, with each IP mapped out as a specific tunnel.
10.10.111.20/32 <--> 10.10.112.50/32
10.10.111.24/32 <--> 10.10.112.51/32
etc.
If that isn't possible, the subnet will need to be the same on both sides, with the IPs you want to use in order, or you will need to use DNAT.
-James Carson
WatchGuard Customer Support