Emerging Member
Posts: 90
Registered: ‎11-14-2013
Kudos: 38
Solutions: 1

NAT both ways

I am working on a project where I need to NAT traffic from a customers network into my own over a VPN.  This would not be a hard task normally, and I started by masquerading traffic over a GRE tunnel.  However, the application they access has to make an active connection back to the client PC in order to display additional information in a seperate window.  I started by changing my masquerade to a source nat with a range of IPs, so each client NATs from a unique IP address.  However, this still has not solved my issue.  I believe that my issue is the new traffic has a unique IP to connect back to, but it is not related traffic so my edgerouter does not know what to do with it.  I do not know ahead of time the IP addresses of the clients, so I would really prefer to do this as dynamically as possible.  The pertinent rule:

 rule 5050 {
     description "NAT to XXXX"
     destination {
         address 8.8.8.8
     }
     outbound-interface tun0254
     outside-address {
         address 10.248.0.11-10.248.0.63
     }
     source {
         address 10.0.0.0/8
     }
     type source
}

 I altered the destination IP address, but in the example 8.8.8.8 will try to connect back to the IP that is connected to it with new traffic on port 5000.

Any ideas?

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: NAT both ways

[ Edited ]

You need a DNAT rule, something like -

rule 2 {
    destination {
         port 5000
    }
    inbound-interface tun0254
    inside-address {
           address ?
    }
    source {
        address 8.8.8.8
    }
    type destination
}

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: NAT both ways

Could you elaborate on the "8.8.8.8" part, do you mean the clients will all be public IP addresses? If they are actually private IPs (since this is over VPN) and you know the range, it may be possible to set up "1-to-1" rules so that each IP in the range maps to a specific IP in your side's range, but it depends on the exact setup of course.

Emerging Member
Posts: 90
Registered: ‎11-14-2013
Kudos: 38
Solutions: 1

Re: NAT both ways

1) I do not know ahead of time what the inside address will be.  I have an SNAT rule already going the other direction, so I want to tie that together in an automated fashion with a dnat rule in some way.

2) I just picked an easily recognizable IP.  It will be a private IP there.  Example description of the whole thing:

 

Client range: 10.0.0.0/24

My server: 10.1.0.3

My natted IPs: 10.248.0.0/26

Client 10.0.0.10 attempts to communicate with server 10.1.0.3.  The source is natted to 10.248.0.13 as it passes through the firewall.  The server sees a client with IP address 10.248.0.13 connect to it.  The second application launches, and now the server tries to open an unrelated connection to port 10.248.0.13.  How do I make the edgerouter now know to NAT the traffic to 10.0.0.10?  There is no way for me to know ahead of time specifically that the traffic will originally be coming from 10.0.0.10, it could have been any client on that subnet.  Doing 1:1 is possible, but really not something that I want to do.

Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: NAT both ways

By 1-to-1 I mean statically map one network to the other. This won't work if one is /24 and the other is /26, but if both are /24 for example, you can change the existing SNAT rule to translate source 10.0.0.0/24 to 10.248.0.0/24 (so 10.0.0.13 will always be 10.248.0.13 for example) and similarly add a DNAT rule to translate destination 10.248.0.0/24 to 10.0.0.0/24. An alternative to NAT might be to just do routing, is that not feasible?