Crazy NAT Situation

Ok, this network was designed over three remote locations. They all sit on a .254 subnet /24. The T1 that connects them all is basically going away. We have managed radio shots via an ISP to provide internet and I have dropped in fireboxes at each location.

I have convinced everything at each local site that their gateway is the same .254.90 address. So everything locally can still communicate at each site. There are hardware dependent IPs that need to talk to the other sites, and they all make calls on .254 addresses not at their local sites. VPN NAT doesn't solve the problem because we would have to reprogram all the hardware to call on the new NAT addresses. That would be extensive.

Is there any way to have Site A call for an previously used address at site B and have that translated to the NAT address for Site B and vice versa?

Currently I can have Site A NAT as .245.x and site B as .250.x and pass traffic, but the hardware at Site A isn't programmed to call .245 at Site B and Site B is programmed to call .254 at Site A. I need those calls to be translated to calls to the NAT addresses at the other site.

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Gmanry

    -Are you sending traffic across a new leased line or a branch office VPN?

    If so, see:
    (BOVPN and Network Address Translation)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_and_nat.html

    If you're going over a leased line that is marked as an external interface, see:
    (Apply NAT Rules)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/apply_nat_rules_c.html

    You may also be able to use Static NAT, but I'm not 100% sure based on your description:

    Configure Static NAT (SNAT)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_static_config_about_c.html

    It may be more helpful to open a support case with a network diagram (with the before, and what you're trying to do with your network)

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • You are switching from a bridge setup to a routing setup.
    In a routed environment, nothing for the local subnet will be routed anyplace else.
    NAT won't help to get from a .254.x subnet to a different location with a .254.x IP addr.
    One would need to send packets to a different subnet than .254.x to get packets routed to a different location, as you have already seen.

    The only solution that I can think of is if you can partition the .254.subnet into 3 parts, such as .254.x/26, so that there are unique subnets at each site.
    This would result in 64 IP addrs per /26 subnet.
    Would this work?
    What are the actual hardware dependent IP addrs involved?

  • Note that you can have multiple subnets at each site - so the main subnet a 1 site could be .245.0/24 while there is small .254.x/? subnet at it too.

  • edited April 23

    Bruce, I had considered subnetting the three sites. I will see what we can accomplish with that. I appreciate the feedback.

    Each site used 254.90 as its gateway. I suppose we would need to make that change, but it is easier than reprogramming all the hardware. Thanks again.

Sign In to comment.