Legacy USG - How to setup SNAT in a VPN tunnel

Scenario:

In bigger networks, when using VPNs, it might be necessary to mask a source subnet in order to avoid IP-addressing conflicts. This is known as SNAT setup.
This tutorial will show you how to configure a USG device in order to complement towards the SNAT setup!

 

Step by step guide:

In this tutorial we explain you how to “mask” your local subnet or avoid subnet overlapping, when the same subnet is on the remote site of the VPN tunnel. This tutorial requires that you have already set up your IPsec gateway (IPsec Phase1):

Skip to the Video

1. Connect your computer directly to one of the LAN ports and log into the web interface with the default IP 192.168.1.1 using the default credentials admin/1234
mceclip0.png
mceclip1.png

2. Navigate to Configuration > VPN > IPSec VPN > VPN Connection and add a new VPN Connection using the “Add” button
mceclip2.png

3. Use the “Create new Object” button to create a new object of the “IPv4 Address"-type
mceclip4.png

4. Create your local subnet object and remote subnet object
Take care to choose a subnet that is not conflicting with any subnet on yours or the remote site!
mceclip5.png

5. Both created subnet objects should be selected as your “Local policy” and "Remote policy" in the VPN Connection
mceclip8.png

6. Scroll to the end of the page and open the "Advance"-arrow to configure the “Inbound/Outbound traffic NAT” section (In order for the advanced settings to be visible, press "Show Advanced Settings"). Tick the “Source NAT” checkbox, choose your "real" local subnet as your “Source”, the remote subnet as your “Destination” and the “fake” subnet for the “SNAT”

 

Also tick the checkbox “Destination NAT”, click “Add” and choose your “fake” subnet as the “Original IP”, your local subnet for the “Mapped IP” and click “OK” to create the VPN connection

8. Navigate to Configuration > Network > Routing > Policy Route and click “Add”
mceclip11.png

9. Choose your local subnet as the “Source Address”, the remote subnet as the “Destination Address”, under “Next Hop” choose the “Type” “VPN Tunnel” and choose the created VPN connection for “VPN Tunnel” before clicking “OK”
mceclip12.png

After these settings have been applied the remote site won't know your real local subnet, as they are using your “fake” subnet as their remote policy on their site.

Additionally: If there would be the same real subnet on yours and the remote site, routing issues due to the subnet overlapping would be avoided now.

 

Video:

 

KB-00026

Articles in this section

Was this article helpful?
4 out of 4 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.