Use 1-to-1 NAT Through a Branch Office VPN Tunnel

When you create a Branch Office VPN (BOVPN) tunnel between two networks that use the same private IP address range, an IP address conflict occurs. To create a tunnel without this conflict, both networks must apply 1-to-1 NAT to the VPN. 1-to-1 NAT makes the IP addresses on your computers appear to be different from their true IP addresses when traffic goes through the VPN.

1-to-1 NAT maps one or more IP addresses in one range to a second IP address range of the same size. Each IP address in the first range maps to an IP address in the second range. In this document, we call the first range the real IP addresses and we call the second range the masqueraded IP addresses. For more information on 1-to-1 NAT, see About 1-to-1 NAT.

1-to-1 NAT and VPNs

When you use 1-to-1 NAT through a BOVPN tunnel:

1-to-1 NAT through a VPN affects only the traffic that goes through that VPN. The rules you see in Fireware XTM Web UI at Network > NAT do not affect traffic that goes through a VPN.

Other Reasons to Use 1-to-1 NAT Through a VPN

In addition to the previous situation, you would also use 1-to-1 NAT through a VPN if the network to which you want to make a VPN already has a VPN to a network that uses the same private IP addresses you use in your network. An IPSec device cannot route traffic to two different remote networks when the two networks use the same private IP addresses. You use 1-to-1 NAT through the VPN so that the computers in your network appear to have different (masqueraded) IP addresses. However, unlike the situation described at the beginning of this topic, you need to use NAT only on your side of the VPN instead of both sides.

A similar situation exists when two remote offices use the same private IP addresses and both remote offices want to make a VPN to your XTM device. In this case, one of the remote offices must use NAT through its VPN to your XTM device to resolve the IP address conflict.

Alternative to Using NAT

If your office uses a common private IP address range such as 192.168.0.x or 192.168.1.x, it is very likely that you will have a problem with IP address conflicts in the future. These IP address ranges are often used by broadband routers or other electronic devices in homes and small offices. You should consider changing to a less common private IP address range, such as 10.x.x.x or 172.16.x.x.

How to Set Up the VPN

These steps and the subsequent example apply to a branch office VPN that is not configured as a BOVPN virtual interface. For a BOVPN virtual interface, you configure 1-to-1 NAT as you would for an interface. For more information, see Configure Firewall 1-to-1 NAT.

  1. Select a range of IP addresses that your computers show as the source IP addresses when traffic comes from your network and goes to the remote network through the BOVPN. Consult with the network administrator for the other network to select a range of IP addresses that are not in use. Do not use any of the IP addresses from: 
  1. Configure Gateways for the local and remote XTM devices.
  2. Make Tunnels Between Gateway Endpoints. In the Tunnel Route Settings dialog box for each XTM device, select the 1:1 NAT check box and type its masqueraded IP address range in the adjacent text box.

The number of IP addresses in this text box must be exactly the same as the number of IP addresses in the Local text box at the top of the dialog box. For example, if you use slash notation to indicate a subnet, the value after the slash must be the same in both text boxes. For more information, see About Slash Notation.

You do not need to define anything in the Network > NAT settings in Fireware XTM Web UI. These settings do not affect VPN traffic.

Example

Suppose two companies, Site A and Site B, want to set up a Branch Office VPN between their trusted networks. Both companies use a WatchGuard XTM device with Fireware XTM. Both companies use the same IP addresses for their trusted networks, 192.168.1.0/24. Each company's XTM device uses 1-to-1 NAT through the VPN. Site A sends traffic to Site B’s masqueraded range and the traffic goes outside Site A’s local subnet. Also, Site B sends traffic to the masqueraded range that Site A uses. This solution solves the IP address conflict at both networks. The two companies agree that:

Define a Branch Office Gateway on Each XTM Device

The first step is to make a gateway that identifies the remote IPSec device. When you make the gateway, it appears in the list of gateways in Fireware XTM Web UI. To see the list of gateways from Fireware XTM Web UI, select VPN > Branch Office VPN.

Screen shot of Gateways list on BOVPN page

Configure the Local Tunnel

  1. Select VPN > Branch Office VPN.
    The Branch Office VPN page appears.
  1. In the Tunnel section of the BOVPN page, click Add.
    The Tunnel settings page appears.

Screen shot of Tunnel settings page

  1. Type a descriptive name for the tunnel. The example uses "TunnelTo_SiteB".
  2. From the Gateway drop-down list, select the gateway that points to the IPSec device of the remote office. The example uses the gateway called "SiteB".
  3. Select the Phase 2 Settings tab. Make sure the Phase 2 settings match what the remote office uses for Phase 2.
  4. Select the Addresses tab. Click Add to add the local-remote pair.
    The Tunnel Route Settings dialog box appears.

Screen shot of Tunnel Route Settings - Addresses tab

  1. In the Local IP section, select Network IPv4 from the Choose Type drop-down list. In the Network IP text box, type the real IP address range of the local computers that use this VPN This example uses 192.168.1.0/24.
  2. In the Remote section, select Network IPv4 from the Choose Type drop-down list. In the Network IP text box, type the private IP address range that the local computers send traffic to. This examples uses 192.168.200.0/24.

In this example, the remote office Site B uses 1-to-1 NAT through its VPN. This makes Site B’s computers appear to come from Site B’s masqueraded range, 192.168.200.0/24. The local computers at Site A send traffic to Site B’s masqueraded IP address range. If the remote network does not use NAT through its VPN, type the real IP address range in the Remote text box.

  1. Select the NAT tab. Select the 1:1 NAT check box and type the masqueraded IP address range for this office. This is the range of IP addresses that the computers protected by this XTM device show as the source IP address when traffic comes from this XTM device and goes to the other side of the VPN. (The 1:1 NAT check box is enabled after you type a valid host IP address, a valid network IP address, or a valid host IP address range in the Local text box on the Addresses tab.) Site A uses 192.168.100.0/24 for its masqueraded IP address range.

Screen shot of Tunnel Route Settings dialog box - NAT tab

  1. Click OK. The device adds the new tunnel to the BOVPN-Allow.out and BOVPN-Allow.in policies.

If you need 1-to-1 NAT on your side of the VPN only, you can stop here. The device at the other end of the VPN must configure its VPN to accept traffic from your masqueraded range.

Configure the Remote Tunnel

  1. Follow Steps 1–6 in the previous procedure to add the tunnel on the remote XTM device. Make sure the Phase 2 settings match.
  2. In the Local IP section, select Network IP from the Choose Type drop-down list. In the Network IP text box, type the real IP address range of the local computers that use this VPN. This example uses 192.168.1.0/24.
  3. In the Local IP section, select Network IP from the Choose Type drop-down list. In the Network IP text box, type the private IP address range that the computers at the remote office send traffic to. In our example, Site A does 1-to-1 NAT through its VPN. This makes the computers at Site A appear to come from its masqueraded range, 192.168.100.0/24. The local computers at Site B send traffic to the masqueraded IP address range of Site A.

Screen shot of Tunnel Route Settings dialog box

  1. Select the NAT tab. Select the 1:1 NAT check box and type the masqueraded IP address range of this site. This is the range of IP addresses that computers behind this XTM device show as the source IP address when traffic comes from this XTM device and goes to the other side of the VPN. Site B uses 192.168.200.0/24 for its masqueraded IP address range.

Screen shot of Tunnel Route Settings - NAT tab

  1. Click OK. The device adds the new tunnel to the BOVPN-Allow.out and BOVPN-Allow.in policies.

See Also

About 1-to-1 NAT

About Manual Branch Office VPN Tunnels

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base