Fireware “How To” VPN How do I set up outgoing dynamic NAT through a BOVPN tunnel? Introduction When you create a branch office VPN tunnel, especially to an outside business partner, it is sometimes helpful to use dynamic NAT through the BOVPN tunnel. Through a BOVPN tunnel, dynamic NAT acts as unidirectional NAT, and keeps the VPN tunnel open in one direction only. For example, Company A wants to create a BOVPN tunnel to one of their business partners -- Company B -- so they can access data on Company B’s database server. Company B agrees to allow Company A access to the server, but wants Company A to get access to the database server from a single IP address so it can easily monitor the connection. Company A wants to make sure that Company B cannot get to any of its resources at all. In this example, you can use a combination of BOVPN tunnel policies and dynamic NAT to meet the needs of both companies. In this case, it could be possible to meet the needs of both companies with a one-way BOVPN tunnel. However, some organizations want to make sure that all traffic through the VPN comes from one public IP address, which is possible if you use dynamic NAT. Is there anything I need to know before I start? This document shows you how to enable dynamic NAT correctly through a BOVPN tunnel between two WatchGuard Firebox devices using Fireware 8.2 or higher. The instructions below show how to configure dynamic NAT for a BOVPN tunnel from Company A to the trusted network of Company B. For more information about how to create a branch office VPN tunnel or apply BOVPN tunnel policies, see http://www.watchguard.com/support/Fireware_HowTo/HowTo_ManualBOVPN You must have this information to use configure dynamic NAT through a BOVPN tunnel: • External IP address of each VPN endpoint In this example: Company A Firebox 95.1.1.1 Company B Firebox • Trusted network address of each VPN endpoint In this example: Company A Trusted Network Company B Trusted Network 1 42.1.1.1 10.1.1.0/24 192.168.0.0/24 Configuring the VPN Endpoint - Company A In this example, Company A creates a BOVPN tunnel to the Firebox at Company B. Company A enables dynamic NAT for all traffic from Company A to Company B. 1 From Firebox A Policy Manager, select VPN > Branch Office Tunnels. Select Add to add a new BOVPN tunnel. The New Tunnel dialog box appears. 2 3 Give the BOVPN tunnel a name. For this example, use AccessToCompanyBserver. Select the New Phase 2 Proposal icon, as shown in the screenshot above. The New Gateway dialog box appears. 4 2 Create a new gateway. For this example, we use these values: Gateway Name PartnerCompany Remote Gateway Settings, Gateway IP 42.1.1.1 Remote Gateway Settings, ID Type 42.1.1.1 Configuring the VPN Endpoint - Company A Local Settings, ID Type 95.1.1.1 Pre-shared key Sh4redK3y *Must be same on both VPN endpoints Caution In this example, we keep the default Phase 1 Settings. For more information about any of the fields in the New Gateway dialog box, see http://www.watchguard.com/support/Fireware_HowTo/HowTo_ManualBOVPN. 5 Click OK to return to the New Tunnel dialog box. 6 Click Advanced. Clear all check boxes. Click OK. If you not change these Phase 2 Advanced Settings, your BOVPN tunnel will not negotiate correctly. Without this change, the second VPN endpoint will look for Firebox A’s trusted network instead of Firebox A’s external interface after you enable dynamic NAT. 7 Click Add to add a tunnel policy. 8 In this example, we create a one-way tunnel policy from the trusted network of Company A to the trusted network of Company B. To do this, type these values: Local 10.1.1.0/24 Remote 9 192.168.0.0/24 Use the Direction drop-down list to select -->. Then, select the DNAT checkbox. 10 Click OK. Save these changes to the Firebox at Company A. 4 Configuring the VPN Endpoint - Company B Configuring the VPN Endpoint - Company B Now that the Firebox at Company A is configured as a VPN endpoint, you must configure the Firebox at Company B as a VPN endpoint to complete the BOVPN tunnel between the two devices. 1 From Firebox B Policy Manager, select VPN > Branch Office Tunnels. Select Add to add a new BOVPN tunnel. The New Tunnel dialog box appears. 2 3 Give the BOVPN tunnel a name. For this example, use AccessToCompanyBserver. Select the New Phase 2 Proposal icon, as shown in the screenshot above. The New Gateway dialog box appears. 4 Create a new gateway. For this example, we use these values: Gateway Name PartnerCompany Remote Gateway Settings, Gateway IP 95.1.1.1 Remote Gateway Settings, ID Type 95.1.1.1 Local Settings, ID Type 42.1.1.1 Pre-shared key Sh4redK3y *Must be same on both VPN endpoints Caution In this example, we keep the default Phase 1 Settings. For mor e information about any of the fields in the New Gateway dialog box, see http://www.watchguard.com/support/Fireware_HowTo/HowTo_ManualBOVPN. 5 6 Click OK to return to the New Tunnel dialog box. 6 Click Add to add a tunnel policy. 7 In this example, we create a one-way tunnel policy from the trusted network of Company B toIP address of the Firebox at Company A. This is the IP address applied when DNAT is enabled for the traffic from Company A’s trusted network. To do this, type these values: Local 192.168.0.0/24 Remote 95.1.1.1 8 Use the Direction drop-down list to select <--. Do NOT select the DNAT checkbox. 9 Click OK. Save these changes to the Firebox at Company B. When the Firebox at Company B restarts, the two Fireboxes negotiate a VPN tunnel. The Firebox at Company A will apply dynamic NAT to all traffic destined for the trusted network of Company B. When this traffic reaches Company B, it will arrive as traffic that originated on the Firebox A external interface. SUPPORT: www.watchguard.com/support support@watchguard.com U.S. and Canada +877.232.3531 7 COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. 8
© Copyright 2024