|
|
sofaware.infopop.cc SofaWare Discussion Groups SmartCenter Management VPN Edge X, NAT in Enterprise VPN ? Topic Closed|
Go
|
New
|
Find
|
Notify
|
Tools
|
|
Junior Member |
[Repost from "Internet Security Appliances" form I first posted it erroneusly, sorry].
Should the Edge X device be able to NAT nodes from LAN for connections going through an enterprise vpn ? Edge X, fw 6.0.74, connected to a NGAIR55 smartcenter with libsw 6.0.81. Lan network is 10/8 (customer, don't ask), DMZ port is 172.19.29/24. Local vpn endpoint are a couple of NGAIR55 nokia modules running vrrp. Local network is 172.18.1/24. In smartcenter following is defined: - the local nokia cluster object, encryption domain manual, contains 172.18/16 and other networks (no 10 network) - the edge object, encryption domain manual, contains 172.19.29/24 - a nat rule 10/8->172.18.1/24 port any, translate to 172.19.29.200(hide)->original port original, install on "the Edge configuration container" - relevant security rules permitting traffic, install on "the nokia cluster object" When trying to connect from a node on the physical dmz port network (real IP 172.19.29.x) tunnel comes up normally, all ok. When trying to connect from a LAN 10/8 node to a 172.18.1 node (source should be hide-natted to 172.19.29.200) tracker has these logs: - Ike Main mode completition - Ike quick mode completition for 172.28/16 and <edge public ip address> - Ike quick mode completition for <edge public ip address> and 10/8 (which is not mentioned in any encryption domain) - Ike quick mode completition for 172.18/16 and 10/8 - drop <10 node ip>-><172.18 ip> "encryption failure: Cannot identify peer for encrypted connection (VPN Error code 04)" but no quick mode for 172.19/29 and 172.18/16 (and the connection fails). "info nat" on Edge does not show any entry. I also tried to nat the lan nodes on a network different than the dmz port, (with correct encryption domains), doesn't work either. I also tried nat 10/8->any (always nat) and so on, never seemd to be used, as if nat is ignored if the traffic goes into a tunnel. Is there any solution to this, am I doing something wrong ? Performing nat on the central endpoint would create loads of conflict due to that 10/8 network. Is this kind of configuration even supported on the edge X series ? Possibly with v7 firmware ? Thanks |
||
|
| Powered by Eve Community |
 | Please Wait. Your request is being processed... |
Topic Closed sofaware.infopop.cc SofaWare Discussion Groups SmartCenter Management VPN Edge X, NAT in Enterprise VPN ? | View $GS_USERNAME's Public Profile |
| Add $GS_USERNAME to my Ignore List |
| View Recent Posts by $GS_USERNAME |
| Notify me of New Posts by $GS_USERNAME |