[go: up one dir, main page]
Scribd
Upload
14 views9 pages

Network Security: NAT in IPsec

The document discusses how to integrate Network Address Translation (NAT) into IPsec VPN tunnels to interconnect networks with overlapping address ranges or to hide an internal address range. It provides configuration examples for firewalls on both sides of the VPN tunnel, including VPN policies, NAT policies, and filter policies.

Uploaded by

cuongnghe2004
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views9 pages

Network Security: NAT in IPsec

The document discusses how to integrate Network Address Translation (NAT) into IPsec VPN tunnels to interconnect networks with overlapping address ranges or to hide an internal address range. It provides configuration examples for firewalls on both sides of the VPN tunnel, including VPN policies, NAT policies, and filter policies.

Uploaded by

cuongnghe2004
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

TECHNICAL NOTE

STORMSHIELD NETWORK SECURITY

INTEGRATING NAT INTO IPSEC

Product concerned: SNS 1.x, SNS 2.x, SNS 3.x, SNS 4.x
Document last updated: December 9, 2019
Reference: sns-en-integrating_NAT_into_IPSEC_technical_note
SNS - TECHNICAL NOTE
INTEGRATING NAT INTO IPSEC

Table of contents
Getting Started 3
Interconnecting networks with overlapping address ranges 4
Configuring firewall A 4
VPN policy 4
NAT policy 5
Filter policy 5
Configuring firewall B 5
VPN policy 5
NAT policy 5
Filter policy 5
Hiding an address range 6
Configuring firewall A 6
VPN policy 6
NAT policy 6
Filter policy 6
Configuring firewall B 7
VPN policy 7
Filter policy 7
Further reading 8

Page 2/9 sns-en-integrating_NAT_into_IPSEC_technical_note - 12/09/2019


SNS - TECHNICAL NOTE
INTEGRATING NAT INTO IPSEC

Getting Started
SNS firewalls allow Network Address Translation (NAT) to be applied on incoming and outgoing
traffic in IPsec VPN tunnels.
The NAT feature in IPsec VPN may come in useful in several situations:
l Interconnecting networks with overlapping address ranges. For more information, please
refer to the section Interconnecting networks with overlapping address ranges.
l When you wish to hide the real address range of your LAN. For more information, please
refer to the section Hiding an address range.

Page 3/9 sns-en-integrating_NAT_into_IPSEC_technical_note - 12/09/2019


SNS - TECHNICAL NOTE
INTEGRATING NAT INTO IPSEC

Interconnecting networks with overlapping


address ranges
In this case, neither of the private networks can use their real IP addresses through the tunnel
as the peers would assume that they belong to the same network and would therefore attempt
to contact each other directly on this local network instead of going through the IPsec tunnel.
The strategy to adopt would therefore be to:
l Hide the real IP addresses of the hosts on Network A from the hosts on Network B and

vice versa,
l Indicate to the hosts on Network A that Network B uses a different address range,

l Restore the real destinations when leaving the tunnel in order to transport packets to the

real IP addresses of the hosts on both networks.


This would require modifying the source IP address before sending the packets through the
IPsec tunnel, and restoring the real destination IP address in the packets coming from the
tunnel on both of the sites to be linked.

In this example, Net-A-Real and Net-B-Real are in the same address range.
We have defined as follows:
l Net-A-Virt to represent Network A as Network B will see it,

l Net-B-Virt to represent Network B as Network A will see it.

The IPsec policy will only know the “virtual” IP address ranges (-virt), as source addresses
would have been translated before going into the IPsec tunnel (before encryption) and
destination addresses would be translated after having gone through the tunnel (after
decryption of the packet that came from the tunnel).

Configuring firewall A

VPN policy

To correspond to the IPsec policy, traffic has to come from the virtual network A Net-A-Virt and
contact the virtual network B Net-B-Virt.
Ensure that the virtual and real networks have the same sub-network mask.

Page 4/9 sns-en-integrating_NAT_into_IPSEC_technical_note - 12/09/2019


SNS - TECHNICAL NOTE
INTEGRATING NAT INTO IPSEC

NAT policy

l Rule 1 allows translating traffic from real network A Net-A-Real to virtual network A Net-A-
Virt before the IPsec module (Options column).
l Rule 2 allows redirecting packets going to virtual network A Net-A-Virt to internal real
network A Net-A-Real.

Filter policy

Configuring firewall B

VPN policy

To correspond to the IPsec policy, traffic has to come from the virtual network B Net-B-Virt and
contact the virtual network A Net-A-Virt.

NAT policy

lRule 1 allows translating traffic from real network B Net-B-Real to virtual network B Net-B-
Virt before the IPsec module (Options column).
l Rule 2 allows redirecting packets going to virtual network B Net-B-Virt to internal real

network B Net-B-Real.
Ensure that virtual and real networks have the same sub-network mask.

Filter policy

Page 5/9 sns-en-integrating_NAT_into_IPSEC_technical_note - 12/09/2019


SNS - TECHNICAL NOTE
INTEGRATING NAT INTO IPSEC

Hiding an address range


An internal address range may sometimes need to be masked, simply for security reasons or
out of necessity when this address range is used on another network known by the remote site
and with which you would like to communicate through the IPsec tunnel.
The configuration is similar to the one in the previous example, except for the fact that only one
of the networks needs to be masked from the other.

In this example, Net-A-Real located behind Firewall A will appear as Net-A-Virt to site B.

Configuring firewall A

VPN policy

To correspond to the IPsec policy, traffic has to come from the virtual network A Net-A-Virt and
contact the real network B Net-B-Real.

NAT policy

l Rule 1 allows translating traffic from real network A Net-A-Real to virtual network A Net-A-
Virt before the IPsec module (Options column).
l Rule 2 allows redirecting packets going to virtual network A Net-A-Virt to internal real
network A Net-A-Real.

Filter policy

Page 6/9 sns-en-integrating_NAT_into_IPSEC_technical_note - 12/09/2019


SNS - TECHNICAL NOTE
INTEGRATING NAT INTO IPSEC

Configuring firewall B

VPN policy

Filter policy

During tests, contact hosts belonging to the remote network instead of the internal interfaces of
the remote firewall.

Page 7/9 sns-en-integrating_NAT_into_IPSEC_technical_note - 12/09/2019


SNS - TECHNICAL NOTE
INTEGRATING NAT INTO IPSEC

Further reading
Stormshield Knowledge Base
Additional information and responses to questions you may have about the NAT into IPsec are
available in the Stormshield knowledge base (authentication required).

Page 8/9 sns-en-integrating_NAT_into_IPSEC_technical_note - 12/09/2019


SNS - TECHNICAL NOTE
INTEGRATING NAT INTO IPSEC

documentation@stormshield.eu

All images in this document are for representational purposes only, actual products may differ.
Copyright © Stormshield 2023. All rights reserved. All other company and product names
contained in this document are trademarks or registered trademarks of their respective
companies.

Page 9/9 sns-en-integrating_NAT_into_IPSEC_technical_note - 12/09/2019

You might also like