This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
genisis__
Leader Leader
Leader
‎2021-12-30 10:00 AM
In response to BrianD

Found this

"If there is a static nat with a dest of any then it will perform the source nat even when the traffic is going across the VPN as that will match any.

If the VPN is configured so that both ends expect to see the physical IP of the boxes on the subnets at both ends then if you nat the source then the far end will say that shouldn't have been decrypted as it is not part of what it sees as the encryption domain of the sending gateway.

As the NAT is performed at the gateway then you can send what you like specifying the src IP on the host sending from as if that src has a NAT applied then it will apply the NAt which is exactly what is happening.

Disable NAT inside community applies to ALL nat both Hide and Static.

What you are getting is correct behaviour for your configuration, as by Disabling NAT inside community then it creates an implied NAT rule that prevents the static and hide nats whether then manual or automatic from taking place by being inserted at the top of the NAT rules.

If you uncheck the Disable NAT in the community then the NAT rules will be applied, and the traffic fails to pass correctly as it does not receive at the far end what it expects to see."

Alternatively create a NAT rule above rule 11 which is more specific to your needs, example:

Rule ID: 10

SRC:  VLAN24

DST: Remote encryption domain DSTs (I assume you have a group or network object for this)

---

SRC: Original

DST: Original

View solution in original post

(1)
Who rated this post