Use different src-address (subnet) for IPsec policy

OriiOn · Thu Mar 31, 2022 9:13 pm

I need to set up a new VPN with a partner (using a Cisco ASA), and they say the network endpoint I want to use 192.168.2.0/24 is already in use. They ask me to use a different network like 192.168.22.0/24, or maybe even only a single address 192.168.22.20/32. How would I do that?

Sob · Thu Mar 31, 2022 9:37 pm

a) Renumber your network and everything in it
b) NAT is your friend:

/ip firewall nat
add chain=dstnat src-address=<remote subnet> dst-address=192.168.22.0/24 action=netmap to-addresses=192.168.2.0/24
add chain=srcnat src-address=192.168.2.0/24 dst-address=<remote subnet> action=netmap to-addresses=192.168.22.0/24

mjch · Wed Apr 06, 2022 6:57 am

... ok, I've been struggling with this exact issue for the last month or so ... I guess I wasn't expecting to need a _second_ nat rule to do the reverse.

I do have one final question though - which network block needs to be on my local end of the IPSec policy? using the example CIDRs here, would I want the non-NAT block (192.168.2.0/24) or the NAT block (192.168.22.0/24)? I'm assuming we want the policy to match traffic after the NAT rule has taken effect, so the policy should match 192.168.22.0/24 source addresses?

UPDATE - yes, this worked, I now have a functional IPSec tunnel with a policy for 192.168.22.0/24 and NATted traffic traversing it

Use different src-address (subnet) for IPsec policy [SOLVED]

Use different src-address (subnet) for IPsec policy

Re: Use different src-address (subnet) for IPsec policy [SOLVED]

Re: Use different src-address (subnet) for IPsec policy

Who is online