Setting Up Vyatta VPN with Policy NAT
The following information will direct you in setting up your traffic
sourced from 2 of your cloud servers to appear as the public IP of your
cloud servers across the VPN tunnel only (Policy Nat).
- Cloud Server 1 Cloud Networks IP: 172.26.26.2
- Cloud Server 2 Cloud Networks IP: 172.26.26.3
In this scenario, the 2 IP addresses appear to come from the
10.255.255.x. We will present two alternative solutions for this. One
solution, we will map only the specific /32 addresses in our policy NAT.
In the second solution, we will policy NAT the entire /24 subnet to the
other /24 subnet.
Scenario Notes
Note: This assumes that the cloud servers have their default gateways
pointed at the Vyatta (much in the same way a cloud server gets "rack
connected" to an ASA or an F5). If you wish to continue to your cloud
servers' public interface for Internet access and the cloud networks
interface for VPN only traffic, your server admin will need to create a
static route on the cloud server for the remote VPN encryption domain
that points at the Vyatta's cloud network IP address.
Vyatta calls their static NAT a "bi-directional NAT". So when searching
Vyatta's documentation, please keep this in mind.
Topology
Local Vyatta Firewall
Interface | IP Address | Description |
eth0 | 166.78.184.111/24 | public |
eth1 | 172.26.26.1/24 | INSIDE-172.26.26.0/24 |
Remote Cisco ASA Firewall
Interface | IP Address | Description |
eth 0/0 | 192.0.2.10/28 | outside |
eth 0/1 | 192.168.10.1/24 | INSIDE-192.168.10.0/24 |
eth 0/2 | 192.168.19.1/24 | DMZ-192.168.19.0/24 |
VPN Details
Encryption Domains
Local VPN Encryption Domains | Remote VPN Encryption Domains |
INSIDE-172.26.26.0/24 | DMZ-192.168.19.0/24 |
ISAKMP and IPSEC Settings
Phase 1 Settings | Phase 2 Settings |
AES-256 | AES-256 |
SHA1 | SHA1 |
Group 5 | PFS Group 5 |
86400 Seconds | 3600 Seconds |
VPN Configuration
Enable the VPN daemon on the outside interface
# Enable the VPN daemon on the eth0 Interface |
Phase 1 Define the Policies
# Phase 1 Settings: AES-256, SHA1, Group 5, Lifetime 86400 |
Phase 2 Define the ESP-GROUP (Like an ASA Transform Set)
# Phase 2 Settings: AES-256, SHA1, PFS Group 5, Lifetime 3600 |
Phase 2 Define the Individual Peer Attributes
set vpn ipsec site-to-site peer 192.0.2.10 description "VPN TO TANGO LAB ASA-5510" |
Phase 2 Define the Tunnel Attributes (Encryption Domains)
# Tunnel 1 Local Cloud Networks (Inside) to remote DMZ # Tunnel 2 Local Cloud Networks (Inside) to remote INSIDE |
Solution 1: Policy NAT Configuration With Individual Addresses
VPN NAT
NAT traffic bidirectionally mapping 172.26.26.2 <--> 10.255.255.202 and 172.26.26.3 <--> 10.255.255.203 |
# Rule 10 - NAT 172.26.26.2 <--> 10.255.255.2 when traffic is destined for the remote VPN encryption domain # Rule 20 - NAT 172.26.26.3 <--> 10.255.255.3 when traffic is destined for the remote VPN encryption domain # Rule 50 - PAT all other traffic from 172.26.26.0/24 as the outside interface's IP Address (Outside PAT Overload) |
Solution 2: Policy NAT Subnet to Subnet
VPN NAT
NAT traffic bidirectionally mapping the entire subnets 172.26.26.0/24 <--> 10.255.255.0/24 |
# Rule 10 - NAT 172.26.26.0/24 <--> 10.255.255./24 when traffic is destined for the remote VPN encryption domain # Rule 50 - PAT all other traffic from 172.26.26.0/24 as the outside interface's IP Address (Outside PAT Overload) |
Updated 4 months ago