Scribd Logo
Upload

Welcome to Scribd!

  • 72 views

    Natting - Over - Site To Site VPN

    Uploaded by

    Amir Hassan
    This document provides instructions on how to configure NAT over a site-to-site VPN connection between a head office and branch office network to differentiate the local and remote networks that have overlapping IP ranges. It involves creating IPSec connections on the head office and branch office Cyberoam devices, specifying NATted local and remote networks, and activating the connections. This allows traffic to be properly routed between the distinct local networks over the VPN tunnel.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Natting - Over - Site To Site VPN

    Uploaded by

    Amir Hassan
    72 views7 pages
    This document provides instructions on how to configure NAT over a site-to-site VPN connection between a head office and branch office network to differentiate the local and remote networks that have overlapping IP ranges. It involves creating IPSec connections on the head office and branch office Cyberoam devices, specifying NATted local and remote networks, and activating the connections. This allows traffic to be properly routed between the distinct local networks over the VPN tunnel.

    Original Description:

    How to configure Nat over site to site VPN.

    Original Title

    Natting_over_Site to Site VPN

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides instructions on how to configure NAT over a site-to-site VPN connection between a head office and branch office network to differentiate the local and remote networks that have overlapping IP ranges. It involves creating IPSec connections on the head office and branch office Cyberoam devices, specifying NATted local and remote networks, and activating the connections. This allows traffic to be properly routed between the distinct local networks over the VPN tunnel.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    72 views7 pages

    Natting - Over - Site To Site VPN

    Uploaded by

    Amir Hassan
    This document provides instructions on how to configure NAT over a site-to-site VPN connection between a head office and branch office network to differentiate the local and remote networks that have overlapping IP ranges. It involves creating IPSec connections on the head office and branch office Cyberoam devices, specifying NATted local and remote networks, and activating the connections. This allows traffic to be properly routed between the distinct local networks over the VPN tunnel.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 7

    How To Apply NAT over Site-to-Site VPN

    connection How To Apply NAT over Site-to-Site VPN connection

    Applicable Version: 10.00 onwards

    Scenario
    Consider the following network wherein both the Head Office (HO) LAN and the Branch Office (BO)
    LAN have the same internal IP schema.

    Network Parameters
    Local Server (WAN IP address) 192.168.20.105
    HO Network details Local LAN address 172.16.16.0/24
    Local NATted Address 172.16.15.0/24
    VPN server (WAN IP address) 192.168.20.191
    BO Network details LAN Network 172.16.16.0/24
    NATted Address 172.16.17.0/24

    As a result, the VPN endpoints fail to differentiate between own network and remote network. Any
    request initiated from HO destined for BO would be served within HO itself and vice versa. For
    example, a host from HO initiates a request to host 172.16.16.10 in BO, but it is responded by Host
    172.16.16.10 in the HO itself because the endpoint cannot differentiate between HO LAN and BO
    LAN.

    As a solution to this, Cyberoam provides NATting over VPN which allows Cyberoam to assign Dummy
    LAN IP address (NATted LAN) to differentiate between LANs at both ends. This article describes how
    you can configure an IPSec Connection using NATted LANs.
    How To Apply NAT over Site-to-Site VPN connection

    HO Configuration
    The configuration is to be done from HO Cyberoam Web Admin Console using profile having read-
    write administrative rights for relevant feature(s).

    Step 1: Create IPSec Connection


    To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the
    connection using the following parameters.

    Parameter Description

    Parameter Value Description

    Name HO_to_BO Name to identify the IPSec Connection


    Select Type of connection.
    Available Options:
    Connection Type Site to Site Remote Access
    Site to Site
    Host to Host
    Policy DefaultHeadOffice Select policy to be used for connection
    Select the action for the connection.
    Available options:
    Action on VPN Restart Respond Only Respond Only
    Initiate
    Disable
    Authentication details
    Select Authentication Type. Authentication of user
    Authentication Type Preshared Key
    depends on the connection type.
    Preshared key should be the same as that configured
    Preshared Key 123456789
    in remote site.
    Endpoints Details

    Local PortB-192.168.20.105 Select local port which acts as end-point to the tunnel

    Remote 192.168.20.191 Specify IP address of the remote endpoint.

    Local Network Details


    Select Local LAN Address. Add and Remove LAN
    Local Subnet 172.16.15.0/24
    Address using Add Button and Remove Button
    How To Apply NAT over Site-to-Site VPN connection

    If NAT Local LAN is configured, select IP Host or


    NATed LAN 172.16.16.0/24 Network Host from the available list. IP Host can also
    be added by clicking on the Add IP Host link.
    Remote Network Details
    Select Remote LAN Address. Add and Remove LAN
    Remote LAN Network 17.16.17.0/24
    Address using Add Button and Remove Button

    Click OK to create IPSec connection.


    How To Apply NAT over Site-to-Site VPN connection

    Step 2: Activate Connection


    On clicking OK, the following screen is displayed showing the connection created above.

    Click under Status (Active) to activate the connection.

    BO Configuration
    The configuration is to be done from BO Cyberoam Web Admin Console using profile having read-
    write administrative rights for relevant feature(s).

    Step 1: Create IPSec Connection


    To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the
    connection using the following parameters.
    How To Apply NAT over Site-to-Site VPN connection

    Parameter Description

    Parameter Value Description


    Name BO_to_HO Name to identify the IPSec Connection
    Select Type of connection.
    Available Options:
    Connection Type Site to Site Remote Access
    Site to Site
    Host to Host
    Policy DefaultBranchOffice Select policy to be used for connection
    Select the action for the connection.
    Available options:
    Action on VPN
    Initiate Respond Only
    Restart
    Initiate
    Disable
    Authentication details
    Select Authentication Type. Authentication of user
    Authentication Type Preshared Key
    depends on the connection type.
    Preshared key should be the same as that configured
    Preshared Key 123456789
    in remote site.
    Endpoints Details
    Local PortB-192.168.20.191 Select local port which acts as end-point to the tunnel
    Remote 192.168.20.105 Specify IP address of the remote endpoint.
    Local Network Details
    Select Local LAN Address. Add and Remove LAN
    Local Subnet 172.16.17.0/24
    Address using Add Button and Remove Button
    If NAT Local LAN is configured, select IP Host or
    NATed LAN 172.16.16.0/24 Network Host from the available list. IP Host can also
    be added by clicking on the Add IP Host link.
    Remote Network Details
    Select Remote LAN Address. Add and Remove LAN
    Remote LAN Network 172.16.15.0/24
    Address using Add Button and Remove Button
    How To Apply NAT over Site-to-Site VPN connection

    Step 2: Activate and Establish Connection


    On clicking OK, the following screen is displayed showing the connection created above.
    How To Apply NAT over Site-to-Site VPN connection

    Click under Status (Active) and Status (Connection).

    The above configuration establishes an IPSec connection between the HO and BO.

    Note:

    Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.

    In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator
    and Head Office acts as a responder due to following reasons:
    Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to
    initiate the connection.
    As there can be many Branch Offices, to reduce the load on Head Office it is a good practice
    that Branch Offices retries the connection instead of the Head Office retrying all the branch
    office connections.

    Document Version 1.3 11 July, 2014

    You might also like