Knowledge Base

How to configure SNAT for Site-to-Site IPsec VPN?

Scenario

We need to use Source NAT in the VPN because the remote site only permits traffic form the IP: 172.18.200.15/32 which is the "Fake Network" of the network 192.168.1.0/24. How to configure Source NAT and Destination NAT on both sites?

Step

Site to site VPN are configured between USG40 and USG60.
The original LAN subnet of USG40 is 192.168.1.0/24 and the fake network is 172.18.200.15/32.
The original LAN subnet of USG60 is 192.168.10.0/24 and the fake network is 172.18.200.14/32.
 
Configurations on USG40
 
The original IP and mapped IP in DNAT setting cannot be subnet.
You should set IP one by one.
For example:
vpn_ip_local: 172.18.200.15
test_PC in USG40: 192.168.1.33
 
Policy route
 
Configurations on USG60
 
The original IP and mapped IP in DNAT setting cannot be subnet.
You should set IP one by one.
For example:
vpn_ip_local: 172.18.200.14
test_PC in USG60: 192.168.10.33
 
Policy route

 

Verification

1. On the test PC 192.168.1.33 in USG40, ping 172.18.200.14. 
2. On the USG60(remote site), capture packets on lan1. 
It receives the request from 172.18.200.15, not 192.168.1.33  => Success! 



YES NO

Please leave your comment:

SUBMIT

Question Profile

LANGUAGE:
ARTICLE ID:018100
TYPE:Application / Configuration Example
FIRMWARE:4.62 and later versions
VIEWS:125
VOTES:0
TECHNOLOGY:
MODEL:VPN100,VPN1000,VPN300 (view more model name)

Still have trouble with your device? Contact Zyxel technology support team directly!

Contact Zyxel Support