8904 questions

10557 answers

16569 comments

15945 members

0 votes
2,120 views 6 comments
by

Goodmorning,

we need to configure an IPSec VPN between our network and a RUT955.

We need to use SNAT because of the remote gateway(RUT955) must have IP Address 192.168.11.90 and corresponding subnet must be 192.168.5.0.

We configure SNAT as below but we can’t reach remote hosts on 192.168.5.0 subnet. We can’t understand which IP we have to insert in ‘SNAT IP address’ field

Please, could you help us to fix this issues?

Many thanks

 

3 Answers

0 votes
by

Hello,

Could you draw and share simply topology scheme with IP address of your solution?

Also, could you elaborate on "we can't reach remote host on 192.168.5.0"? From what device you are trying to reach "192.168.5.0"?

by

 "we can't reach remote host on 192.168.5.0"? :  we tried to ping remote host (192.168.5.110) but it doesn't response .

how can we configurate SNAT?

THANKS.

by

Hello,

Thank you for the topology scheme.

Are you certain that you indeed to you SNAT in this particular solution? (i.e. maybe you have used any other device in same solution before and SNAT was the way you have achieved the connectivity?)

If answer to above question is "No", then you should be able to accomplish everything just with "Static routes". I.e.:

 - on your Cisco ASA 5515 you would have to configure static route, so that "192.168.5.0/24" would be reachable via your RUT955 router (via IPsec), and

 - on your RUT955 you would have to specify that 192.168.1.0/24 is reachable via this IPsec tunnel. That can be done from "Network -> VPN -> IPsec" menu's "Remote IP address/Subnet mask" field, by entering"192.168.1.0/24" value.

That should be enough so that your 192.168.1.0 and 192.168.5.0 network could communicate with each other. (If configuring static routes would not be enough, then more in-depth debugging is necessary to determine why devices cannot communicate with each other. You could start to do that by launching wire shark/tcp dump logs on both routers and investigate where individual packets go from each router.)

0 votes
by
Hey,

Which subnet do you advertise to the ASA via IPsec?
by
I'm not sure i understand good

the subnet we want to make reachable to asa is 192.168.5.0 as in draw.
by
Ok cool.  Do you have IPSec tunnel "up" between RUT and ASA? If yes, what is the local IP address of RUT (the local subnet you advertise to ASA so it can reach it via IPSec)?
by
Yes i have the tunnel up.

the local ip adress of RUT is 192.168.11.90( subnet 192.168.5.0).
by

I need more details, e.g RUT IP address 192.168.11.90 and subnet mask, one of the servers IP address (for instance 192.168.5.110 and subnet mask). 

0 votes
by

Hi,

You have three devices:

Device 1: CISCO ASA 5515 (192.168.1.0/24)
Device 2: RUT955 (192.168.11.0/24)
Device 3: unknown device (192.168.5.0/24)

In order to ping 192.168.5.0/24 from 192.168.1.0/24, you need to add:

  • an additional remote network on Device 1 (CISCO) IPsec config:
    • 192.168.5.0/24
    • 192.168.11.0/24
  • an additional local network on Device 2 (RUT955) IPsec config:
    • 192.168.5.0/24
    • 192.168.11.0/24

In order for 192.168.1.0/24 to ping 192.168.5.0/24 you need a route to 192.168.5.0/24 from 192.168.11.0/24. Login to the router's WebUI and go to the Network → Routing → Static Routes section and add a route to:

  • Table: MAIN
  • Destination: 192.168.5.0/24
  • Netmask: 255.255.255.0
  • Gateway: Device 3 IP address

Finally, you need to add a firewall rule to the FORWARD chain of Device 3 in order to be able to ping the network behind it. Unfortunately, I don't know how to configure firewall rules on Device 3 (CISCO?). But the basic idea is that you need to allow traffic on Device 3 FORWARD chain that is:

  • originating from 192.168.1.0/24
  • destined to 192.168.5.0/24

An iptables analogue would look like this:

iptables -I FORWARD -i eth1 -s 192.168.11.0/24 -d 192.168.5.0/24 -j ACCEPT

To reach 192.168.5.0/24 from 192.168.11.0/24 (RUT955), create an identical rule, but swap 192.168.1.0/24 with 192.168.11.0/24.