FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
827 views 8 comments
by anonymous
I have a RUTX11 and i need to configured a NAT 1:1 Form my a host in my IPSec VPN to a local IP in my LAN. Here an Example about what i need:

-IPsec Ip Host  192.168.105.105 on a Network 192.168.105.0/24

-Router LAN 10.10.10.0 /24

- Nat 1:1 to Masquered the IPsec ip host 192.168.105.105 to an ip on my Router LAN 10.10.10.25.

When the Host on the VPN access to the LAN all the conextions and requests shows with the Nat IP translated.

1 Answer

+1 vote
by anonymous

Hello, this is Martín, Tech Support Engineer for Teltonika Networks.

We have a Wiki article which explains how to make a NAT 1-to-1 on Teltonika devices, which can be useful for this case.

https://wiki.teltonika-networks.com/view/RUTX_1-to-1_NAT

Best regards.

by anonymous

Tank you for the asnwer Martin, 

Following the article, the configuration on the firewall custom rule based on the before example, what i need to do is the next one: 

iptables -t nat -I PREROUTING -d 10.10.10.25 -j DNAT --to-destination 192.168.105.10
iptables -t nat -I POSTROUTING -s 192.168.105.10 -j SNAT --to-source 10.10.10.25
by anonymous
I just neet to translated my IP from a IPSec VPN to an IP from my LAN, when the host request a service o try to stablish a conecction the other devices in the lan, identify the host with a IP in the same network.
by anonymous
Hello, can you please provide a diagram which displays how the connection should be made?
by anonymous

Hello, here you can see the topology and the final objective, When the remote host request a service o try to stablish a conecction the other devices in the lan, identify the host with a  new IP in the same network. As you can see in the next diagram:

RUTX11 IPSEC VPN NAT 1:1 TO LAN

by anonymous
Hello.

The 1-to-1 NAT functionality allows mapping a router's external address to an internal address, however, one of the IP addresses has to belong to the Router itself. In this case, I see you are trying to map the address 192.168.105.105, which is not an address for the router, to the 10.10.10.25 address in the LAN, which is not an address from the Router either.

I see you are using IPSec, so in that case it is a good idea to set up IKEv2 in both ends in order to have more than one local or remote subnet, so you can declare your VPN network in your remote end as a local subnet, and put the VPN network as a remote network on your IPSec configuration in the RUTX11. This should allow connectivity in both ways, in turn, allowing your LAN devices to connect to the .105 device in the VPN.

I remain attentive to any further comments.

Best regards.
by anonymous

Thank you Martin for your answers, 

I alredy configured the Ipsec VPN on the RUTX11 and i have connection between both sites.  But i want to show another scenario with the same netwotk topology:

In my LAN, i have an device with an whitelist ip, only with the ip in the same network, in this case in the netwotk 10.10.10.0/24. And with my VPN IPsec connection, if i request for a service to the device or try to stablish connection, this will block it, because of the white list. That is the reason because of i want to configure the nat 1:1 to target the VPN host ip and masquered in a new LAN IP, with connetivity in both ways, with the new IP.

  

by anonymous

Hello,

In this case as I have mentioned, the NAT 1-to-1 can only be made to IP addresses which belong to the Router. As such, the LAN Gateway IP address of the Router itself can be used to make a NAT 1-to-1 to the IP host, however, your LAN devices might experience unpredictable behavior as all of the traffic directed to it will be forwarded to the IP host on the internet.

Another solution that would allow correct connectivity between your IP Host on the internet and the LAN behind your RUTX11 would be to use L2TP over IPSec in order to allow a remote host to join the same IP range as the RUTX11 LAN devices.

I have linked an article which describes this scenario, which might be useful in this case.

Best regards.

by anonymous
Hello Martin,

Thank for your answer. I am going to check this article to find a solution about this topic.

Regards.