Hi There,
Scenario: Multi Tenanted Network Service residing at “Site A”. Subsequent Networks added as “Customer Networks”
For Testing There is a IP SEC VPN between Customer A’s two networks (192.168.53.0 & 10.100.100.0/23)
Overview/Problem:
For solution to work correctly Customer A’s location at Site B needs to access a small subset of IP addresses on the Management network of Site A which is not directly configured in the VPN policy. To work around I’ve natted the address range for their own network to go to management network (for example 192.168.53.15 is configured on their end, but it is DST natted to 192.168.50.13) which works well. For customers who use 192.168.50.0/24 within their internal network this will work, given their network at Site A can be anything.
What Works: I can ping from both sides of the network successfully, however TCP only seems to work in one direction. I think my problem is similar to this one, http://forum.mikrotik.com/t/need-help-with-vpn-and-src-nat/115539/1 however I can’t work out how to do the following “However, if another connection is initiated from the remote side, its initial packet does not hit the srcnat rule, so the whole miracle above cannot happen. So to ensure similar handling for connections initiated from behind the Sonicwall, you have to use dstnat rules in the prerouting chain which take care of this category of initial packets.”
Site: A
Management Network of 192.168.50.0/24 (VLAN 50)
Customer A: 192.168.51.0/24 (VLAN 51)
Site B: Customer A Network: 10.100.100.0/23
Config: (Relevant lines)
2 ;;; NETMAP DST
chain=dstnat action=netmap to-addresses=192.168.50.12/30 src-address=10.100.100.0/23 dst-address=192.168.53.12/30 log=yes log-prefix=“”
3 chain=srcnat action=netmap to-addresses=192.168.53.12/30 src-address=192.168.50.12/30 dst-address=10.100.100.0/23 log=yes log-prefix=“”
5 chain=srcnat action=accept src-address=192.168.53.0/24 dst-address=10.100.100.0/23 log=no log-prefix=“”
VPN
src-address=192.168.53.0/24 src-port=any dst-address=10.100.100.0/23 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.X sa-dst-address=X.X.X.X proposal=default ph2-count=1
Thanks,