Set Up Outgoing Dynamic NAT Through a Branch Office VPN Tunnel

You can use dynamic NAT (DNAT) through Branch Office VPN (BOVPN) tunnels. Dynamic NAT acts as unidirectional NAT, and keeps the VPN tunnel open in one direction only. This can be helpful when you make a BOVPN tunnel to a remote site where all VPN traffic comes from one public IP address.

For example, suppose you want to create a BOVPN tunnel to a business partner so you can get access to their database server, but you do not want this company to get access to any of your resources. Your business partner wants to allow you access, but only from a single IP address so they can monitor the connection.

You must know the external and trusted network IP addresses of each VPN endpoint to complete this procedure. If you enable dynamic NAT though a BOVPN tunnel, you cannot use the VPN failover feature for that VPN tunnel.

The step by step instructions below work with any BOVPN that uses dynamic NAT to make all traffic from one endpoint appear to come from a single IP address. The DNAT address can be any routable IP address, such as the Site A public IP address, or a private IP address on the trusted network at Site A. The subsequent images show the settings for a BOVPN where all traffic from Site A must come from the public IP address of Site A.

Site A

Public IP address — 203.0.113.2

Trusted Network — 10.0.1.0/24

Site B

Public IP address — 198.51.100.2

Trusted Network — 10.50.1.0/24

Configure the Endpoint Where All Traffic Must Appear to Come from a Single Address (Site A)

  1. From Fireware XTM Web UI, configure the gateway for the BOVPN.
    For more information, see Configure Gateways.
  2. Select VPN > Branch Office VPN.
  3. Click Add below to the Tunnels list to add a new tunnel, or select a tunnel and click Edit.
    The Tunnel configuration settings appear.
  4. Select the gateway from the Gateway drop-down list.
  5. On the Addresses tab, click Add.
    The Tunnel Route Settings dialog box opens.

Screen shot of Tunnel Route Settings dialog box, Addresses tab

  1. In the Local IP section, select the type of local address from the Choose Type drop-down list. Then type the value in the text box below. You can type a host IP address, network address, a range of host IP addresses, or a DNS name.
  2. In the Remote IP section, select the type of remote address from the Choose Type drop-down list. Then type the value in the text box below. You can type a host IP address, network address, a range of host IP addresses, or a DNS name.
  3. In the Direction drop-down list, selectlocal-to-remote.
  4. Click the NAT tab. Select the Dynamic NAT check box. In the adjacent text box, type the IP address that you want the remote network to see as the source for all traffic through the tunnel.

Screen shot of Tunnel Route Settings dialog box - NAT tab

  1. Click OK.
    The tunnel route is added.

Screen shot of tunnel settings page

  1. Save the changes to the XTM device.

Configure the Endpoint that Expects All Traffic to Come from a Single IP Address (Site B)

  1. From the Fireware XTM Web UI, configure the gateway for the BOVPN. For more information, see Configure Gateways.
  2. Select VPN > BOVPN.  Click Add below the Tunnels list to add a new tunnel or select an existing tunnel and click Edit.
    The Add Tunnel or Edit Tunnel dialog box opens. The tunnel settings appear.
  3. Select the gateway from the Gateways drop-down list.
  4. On the Addresses tab, click Add.
    The Tunnel Route Settings dialog box opens.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP section, select the type of local address from the Choose Type drop-down list. Then type the value in the adjacent text box. You can type a host IP address, network address, a range of host IP addresses, or a host name. This must match the Remote address configured in the tunnel route at Site A.
  2. In the Remote IP section, select the type of remote address from the Choose Type drop-down list. Type the value in the adjacent text box. You can type a host IP address, network address, a range of host IP addresses, or a host name.This must match the DNAT address configured at Site A.
  3. From the Direction drop-down list, select remote-to-local.
  4. Do not select anything in the NAT tab.
  5. Click OK.
    The tunnel route is added.

Screen shot of the ranch Office VPN tunnel settings page

  1. Save the changes to the XTM device.

When the XTM device at Site B restarts, the two XTM devices negotiate a VPN tunnel. The Site A XTM device applies dynamic NAT to all traffic sent to the trusted network of the Site B XTM device. When this traffic reaches Site B, it arrives as traffic that originated from the DNAT IP address.

See Also

About Dynamic NAT

Use 1-to-1 NAT Through a Branch Office VPN Tunnel

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base