2 outside addresses NAT'd to 1 internal

[bkeaver]

Hi all,

I need some help. I have a scenario here and I am missing something I am sure is simple but here it is:

I have a FTP server that has a outside address (lets say 10.10.10.1) that has a static NAT of lets say 192.168.1.200.
This is working fine no problems

Now I have a VPN that I have to create and I want to use another outside address lets say 10.10.10.2 and NAT it to that same 192.168.1.200 address.

I have the Tunnel up and am seeing decrypt packets in the logs but the user on the other end of the tunnel says when he initiates the FTP process it just sits there and doesn't do anything, no login or otherwise.

I am sure this has to do with my NAT but not sure. Looking for a suggestion for the correct way (if this is possible) to get this NAT to work.

Any help and or suggestions will be very welcomed and thanks in advance

[mcnallym]

Hopefully you are using manual nat rules.

Create the two static nat rules.

As you are coming across a VPN then you must know the src address that they are coming from.

Use this as the first NAT rule with the src as the remote vpn enc domain. dst as the secondary public ip and then nat as original and then create another NAT rule below as src = any dst = primary public ip and then NAT as normal.

Create the outbound static nats as well with the more specifc one for the vpn above the any for the internet accessible method.

The rule order is important.

[bkeaver]

when you say nat as normal what are you meaning?

here is how my rule is set up

inbound rule 1

src= vpn inc dst= 2nd ext ip srv=any src= original dst=original srv=original

inbound rule 2
src=any dst=1st ext ip srv=any src=original dst= inside IP srv=any

outbound rule 1
src= inside IP dst= vpn inc srv=any src=2nd ext ip dst=original srv =original

outbound rule 2
src= inside ip dst=any srv=any src=1st ext ip dst=original srv = orginal

[MarioL]

src= vpn inc dst= 2nd ext ip srv=any src= original dst=original srv=original

Should be:

src= vpn inc dst= 2nd ext ip srv=any src= original dst=INSIDE srv=original

But I'm guessing that was a typo.

Check the logs, do a custom filter and check if it's being NATed properly, etc.

[bkeaver]

Quote:

Originally Posted by MarioL

src= vpn inc dst= 2nd ext ip srv=any src= original dst=original srv=original

Should be:

src= vpn inc dst= 2nd ext ip srv=any src= original dst=INSIDE srv=original

But I'm guessing that was a typo.

Check the logs, do a custom filter and check if it's being NATed properly, etc.

yeah that was a typo sorry. The strange thing is when i look in the log I get no errors only see where phase 1 and phase 2 take place and a decrypt for FTP packet, but the user on the other side of the tunnel states that they are getting a connection timeout and dont receive a login to my ftp server.

[bkeaver]

ok now atleast I am receiving a error:

Community: OhioHealth_VPN
Information: dst scheme: NA
route status: Different community ID, possible NAT problem (VPN Error code 01)

I disabled nat within the community and now the error goes away and I get decrypt packets which means the VPN tunnel is working correctly is it not?