Knowledge Search


×
 

[ScreenOS] How to perform source translation using only one DIP IP for different VPN locations

  [KB21498] Show Article Properties


Summary:

This article describes the procedure of how to perform source translation using only one DIP IP for different VPN locations.

Symptoms:

Environment:

  1. Performing source translation using only one DIP IP for the different VPN locations.

  2. The same DIP IP cannot be configured on multiple tunnel interfaces.

  3. The remote VPN locations require the traffic to come from a specific IP address.

Solution:

This can be achieved by configuring a loopback interface as the outgoing interface for the VPN, configuring the DIP on the loopback interface, and then configuring the tunnel interfaces as members of the loopback interface.

Execute the following procedure to perform source translation, using only one DIP IP for different VPN locations:

  1. Create a loopback interface; this loopback interface will be the outgoing interface of the VPN:

    set interface "loopback.2" zone "Untrust"
    set interface loopback.2 ip 172.27.201.180/30
  2. Configure DIP on the loopback interface:

    set interface loopback.2 ext ip 10.10.20.1 255.255.255.252 dip 4 10.10.20.1 10.10.20.1
     
  3. Configure the tunnel interfaces and make them a member of the loopback interfaces:

    set interface "tunnel.1" zone "Untrust"
    set interface "tunnel.2" zone "Untrust"
    set interface tunnel.1 ip unnumbered interface loopback.2
    set interface tunnel.2 ip unnumbered interface loopback.2
    set interface "ethernet0/2" loopback-group "loopback.2"
    set interface "tunnel.1" loopback-group "loopback.2"
    set interface "tunnel.2" loopback-group "loopback.2"

     
  4. Configure VPN and tunnel routes:

    set ike gateway "172.27.201.132" address 172.27.201.132 Main outgoing-interface "loopback.2" preshare "/ZS7c96YNB3FLNsHRbCb5NRMF6nrEdNaow==" sec-level standard
    set ike gateway "172.27.201.140" address 172.27.201.140 Main outgoing-interface "loopback.2" preshare "T23zCgd8Nylip0sr7nCXuDppQ5nobCaErg==" sec-level standard

    set vpn "172.27.201.132" gateway "172.27.201.132" no-replay tunnel idletime 0 proposal "g2-esp-des-sha" "g2-esp-aes128-sha"
    set vpn "172.27.201.132" id 0x7 bind interface tunnel.1
    set vpn "172.27.201.140" gateway "172.27.201.140" no-replay tunnel idletime 0 proposal "g2-esp-des-sha" "g2-esp-aes128-sha"
    set vpn "172.27.201.140" id 0x8 bind interface tunnel.2

    set route 10.10.10.1/30 interface tunnel.1
    set route 11.11.11.1/30 interface tunnel.2

     
  5. Configure the policies allowing the traffic by selecting the DIP in the policy:

    set policy id 1 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" nat src dip-id 4 permit log

    set policy id 2 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" permit log

    See the below output of  "debug flow basic" and "debug dip all" for icmp traffic destined for two different locations.

     ****** 342480.0: <Trust/loopback.1> packet received [128]******
    ipid = 45619(b233), @02702464
    self:1.1.1.1/60296->10.10.10.1/1024,1(8/0)<Root>
    flow_decap_vector IPv4 process
    loopback.1:1.1.1.1/60296->10.10.10.1/1024,1(8/0)<Root>
    no session found
    flow_first_sanity_check: in <loopback.1>, out <tunnel.1>
    chose interface loopback.1 as incoming nat if.
    flow_first_routing: in <loopback.1>, out <tunnel.1>
    search route to (loopback.1, 1.1.1.1->10.10.10.1) in vr trust-vr for vsd-0/flag-0/ifp-null
    [ Dest] 8.route 10.10.10.1->10.10.10.1, to tunnel.1
    routed (x_dst_ip 10.10.10.1) from loopback.1 (loopback.1 in 0) to tunnel.1
    policy search from zone 2-> zone 1
    policy_flow_search policy search nat_crt from zone 2-> zone 1
    RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.10.10.1, port 27817, proto 1)
    No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 1/0/0x9
    Permitted by policy 1
    ## 2011-07-17 00:16:00 : ifp tunnel.1 is in loopback ifp loopback.2
    Get DIP [Root][loopback.2](4): host(1.1.1.1), port(0), ifp_ip(172.27.201.180), desired(0.0.0.0)
    --Got Port-xlate DIP [Root][loopback.2](4): dip 10.10.20.1/1044
    dip id = 4, 1.1.1.1/60296->10.10.20.1/1044
    NHTB entry search not found: vpn none tif tunnel.1 nexthop 11.11.11.1


    ****** 342471.0: <Trust/loopback.1> packet received [128]******
    ipid = 35540(8ad4), @02700f14
    self:1.1.1.1/59496->11.11.11.1/1024,1(8/0)<Root>
    flow_decap_vector IPv4 process
    loopback.1:1.1.1.1/59496->11.11.11.1/1024,1(8/0)<Root>
    no session found
    flow_first_sanity_check: in <loopback.1>, out <tunnel.2>
    chose interface loopback.1 as incoming nat if.
    flow_first_routing: in <loopback.1>, out <tunnel.2>
    search route to (loopback.1, 1.1.1.1->11.11.11.1) in vr trust-vr for vsd-0/flag-0/ifp-null
    [ Dest] 9.route 11.11.11.1->11.11.11.1, to tunnel.2
    routed (x_dst_ip 11.11.11.1) from loopback.1 (loopback.1 in 0) to tunnel.2
    policy search from zone 2-> zone 1
    policy_flow_search policy search nat_crt from zone 2-> zone 1
    RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 11.11.11.1, port 28617, proto 1)
    No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 1/0/0x9
    Permitted by policy 1
    ## 2011-07-17 00:15:51 : ifp tunnel.2 is in loopback ifp loopback.2

    Get DIP [Root][loopback.2](4): host(1.1.1.1), port(0), ifp_ip(172.27.201.180), desired(0.0.0.0)
    --Got Port-xlate DIP [Root][loopback.2](4): dip 10.10.20.1/1043
    dip id = 4, 1.1.1.1/59496->10.10.20.1/1043
    NHTB entry search not found: vpn none tif tunnel.2 nexthop 11.11.11.1
Modification History:

2019-06-28: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links: