Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Need help on One to One NAT configuration
« previous
next »
Print
Pages: [
1
]
Author
Topic: Need help on One to One NAT configuration (Read 380 times)
elvinmammadov
Newbie
Posts: 44
Karma: 0
Need help on One to One NAT configuration
«
on:
July 12, 2024, 10:24:48 am »
Hello,
I need your help on the following case.
We have IPsec VPN connections with our customers and our internal network.
Internal Network: 172.16.210.0/24
Recently we have prepared a new device on DMZ network.
DMZ network: 172.16.220.0/24
Linux OS machine: 172.16.220.1
The customer should communicate with a device on DMZ network through IPSec VPN. Since there a over 50 IPsec VPN connections, we can't add Phase 2 into the current VPN connection.
I have created a Virtual IP: 172.16.210.100/32
That's why we decided to use One to One NAT in IPsec Interface, that should work in this way: 172.16.210.100 <---> 172.16.220.1
I have created a Firewall rules in IPsec and DMZ interfaces to allow traffic.
If I telnet the port of the device located in DMZ, it doesn't pass through. The device has Linux OS and it shows that it has received a packet SYN_RECV.
root@mail:~# netstat -tulpan | grep :587
tcp6 0 0 :::587 :::* LISTEN 974/hbbr
tcp6 0 0 172.16.220.1:587 10.154.181.41:64203 SYN_RECV -
That's why I think. the Linux machine can't send SYN ACK to the customer IP address.
Most probably it still tries to reply from 172.16.220.1. But it should go through 172.16.210.100.
it should be:
DMZ 172.16.220.1 --> Virtual IP 172.16.210.100 --> customer network
customer network --> Virtual IP 172.16.210.100 --> DMZ 172.16.220.1
Could you please give me a hint where I have made a mistake?
«
Last Edit: July 12, 2024, 04:29:24 pm by elvinmammadov
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Need help on One to One NAT configuration