Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BrianD
Participant

Customer VLAN Outbound NAT with Site-to-Site

Jump to solution

We have several customers who have a VLAN behind our GAIA (latest version). In order for those servers to reach the Internet we have to create an rule that states all traffic from this VLAN Subnet, to any destination, goes out of a certain public IP address.

2021-12-30_09-03-29.png

However, when a customer needs a site-to-site tunnel from their office to their VLAN subnet, the traffic on the tunnel is also being NAT'd due to the rule stated above.

How can we specify that the NAT rule for Internet access only applies to traffic designated out of the WAN interface (to the Internet) and not to devices across their site-to-site tunnel in their corporate network? 

Thank you!

2 Solutions

Accepted Solutions
genisis__
Advisor

Found this

"If there is a static nat with a dest of any then it will perform the source nat even when the traffic is going across the VPN as that will match any.

If the VPN is configured so that both ends expect to see the physical IP of the boxes on the subnets at both ends then if you nat the source then the far end will say that shouldn't have been decrypted as it is not part of what it sees as the encryption domain of the sending gateway.

As the NAT is performed at the gateway then you can send what you like specifying the src IP on the host sending from as if that src has a NAT applied then it will apply the NAt which is exactly what is happening.

Disable NAT inside community applies to ALL nat both Hide and Static.

What you are getting is correct behaviour for your configuration, as by Disabling NAT inside community then it creates an implied NAT rule that prevents the static and hide nats whether then manual or automatic from taking place by being inserted at the top of the NAT rules.

If you uncheck the Disable NAT in the community then the NAT rules will be applied, and the traffic fails to pass correctly as it does not receive at the far end what it expects to see."

Alternatively create a NAT rule above rule 11 which is more specific to your needs, example:

Rule ID: 10

SRC:  VLAN24

DST: Remote encryption domain DSTs (I assume you have a group or network object for this)

---

SRC: Original

DST: Original

View solution in original post

(1)
the_rock
Champion
Champion

Yes, its that simple. Also, you can create a no-nat rule between 2 networks in question...so just specify right src/dst in original packet and leave translated packet all as any (that will force nat not to take place between those networks)

Andy

View solution in original post

(1)
4 Replies
BrianD
Participant

Wait, is it this simple? Just check the Disable NAT box?

BrianD_0-1640878004666.png

 

genisis__
Advisor

Found this

"If there is a static nat with a dest of any then it will perform the source nat even when the traffic is going across the VPN as that will match any.

If the VPN is configured so that both ends expect to see the physical IP of the boxes on the subnets at both ends then if you nat the source then the far end will say that shouldn't have been decrypted as it is not part of what it sees as the encryption domain of the sending gateway.

As the NAT is performed at the gateway then you can send what you like specifying the src IP on the host sending from as if that src has a NAT applied then it will apply the NAt which is exactly what is happening.

Disable NAT inside community applies to ALL nat both Hide and Static.

What you are getting is correct behaviour for your configuration, as by Disabling NAT inside community then it creates an implied NAT rule that prevents the static and hide nats whether then manual or automatic from taking place by being inserted at the top of the NAT rules.

If you uncheck the Disable NAT in the community then the NAT rules will be applied, and the traffic fails to pass correctly as it does not receive at the far end what it expects to see."

Alternatively create a NAT rule above rule 11 which is more specific to your needs, example:

Rule ID: 10

SRC:  VLAN24

DST: Remote encryption domain DSTs (I assume you have a group or network object for this)

---

SRC: Original

DST: Original

(1)
the_rock
Champion
Champion

Yes, its that simple. Also, you can create a no-nat rule between 2 networks in question...so just specify right src/dst in original packet and leave translated packet all as any (that will force nat not to take place between those networks)

Andy

(1)
the_rock
Champion
Champion

Glad we could assist, though it was all @genisis__ . Whats nice is that you can always uncheck that option you mentioned for nat inside vpn community if you dont need it and also create no nat rule, which is what I always advise customers. Thats literally extra 30 seconds of work and it will ensure 100% that nat for those networks will not happen.

Happy New year! : - )

 

Andy

0 Kudos