Fireware “How To” VPN Introduction

Fireware “How To”
VPN
How do I set up outgoing dynamic NAT through a BOVPN tunnel?
Introduction
When you create a branch office VPN tunnel, especially to an outside business partner, it is sometimes helpful to use
dynamic NAT through the BOVPN tunnel. Through a BOVPN tunnel, dynamic NAT acts as unidirectional NAT, and
keeps the VPN tunnel open in one direction only.
For example, Company A wants to create a BOVPN tunnel to one of their business partners -- Company B -- so they
can access data on Company B’s database server. Company B agrees to allow Company A access to the server, but
wants Company A to get access to the database server from a single IP address so it can easily monitor the connection. Company A wants to make sure that Company B cannot get to any of its resources at all. In this example, you
can use a combination of BOVPN tunnel policies and dynamic NAT to meet the needs of both companies.
In this case, it could be possible to meet the needs of both companies with a one-way BOVPN tunnel. However, some
organizations want to make sure that all traffic through the VPN comes from one public IP address, which is possible
if you use dynamic NAT.
Is there anything I need to know before I start?
This document shows you how to enable dynamic NAT correctly through a BOVPN tunnel between two WatchGuard
Firebox devices using Fireware 8.2 or higher. The instructions below show how to configure dynamic NAT for a
BOVPN tunnel from Company A to the trusted network of Company B. For more information about how to create a
branch office VPN tunnel or apply BOVPN tunnel policies, see
http://www.watchguard.com/support/Fireware_HowTo/HowTo_ManualBOVPN
You must have this information to use configure dynamic NAT through a BOVPN tunnel:
• External IP address of each VPN endpoint
In this example:
Company A Firebox
95.1.1.1
Company B Firebox
•
Trusted network address of each VPN endpoint
In this example:
Company A Trusted
Network
Company B Trusted
Network
1
42.1.1.1
10.1.1.0/24
192.168.0.0/24
Configuring the VPN Endpoint - Company A
In this example, Company A creates a BOVPN tunnel to the Firebox at Company B. Company A enables dynamic NAT
for all traffic from Company A to Company B.
1
From Firebox A Policy Manager, select VPN > Branch Office Tunnels. Select Add to add a new BOVPN tunnel.
The New Tunnel dialog box appears.
2
3
Give the BOVPN tunnel a name. For this example, use AccessToCompanyBserver.
Select the New Phase 2 Proposal icon, as shown in the screenshot above.
The New Gateway dialog box appears.
4
2
Create a new gateway. For this example, we use these values:
Gateway Name
PartnerCompany
Remote Gateway Settings,
Gateway IP
42.1.1.1
Remote Gateway Settings,
ID Type
42.1.1.1
Configuring the VPN Endpoint - Company A
Local Settings, ID Type
95.1.1.1
Pre-shared key
Sh4redK3y
*Must be same on both VPN
endpoints
Caution
In this example, we keep the default Phase 1 Settings. For more information about any of the fields in the New
Gateway dialog box, see http://www.watchguard.com/support/Fireware_HowTo/HowTo_ManualBOVPN.
5
Click OK to return to the New Tunnel dialog box.
6
Click Advanced. Clear all check boxes. Click OK.
If you not change these Phase 2 Advanced Settings, your BOVPN tunnel will not negotiate correctly. Without this change, the
second VPN endpoint will look for Firebox A’s trusted network instead of Firebox A’s external interface after you enable
dynamic NAT.
7
Click Add to add a tunnel policy.
8
In this example, we create a one-way tunnel policy from the trusted network of Company A to the trusted
network of Company B. To do this, type these values:
Local
10.1.1.0/24
Remote
9
192.168.0.0/24
Use the Direction drop-down list to select -->. Then, select the DNAT checkbox.
10 Click OK. Save these changes to the Firebox at Company A.
4
Configuring the VPN Endpoint - Company B
Configuring the VPN Endpoint - Company B
Now that the Firebox at Company A is configured as a VPN endpoint, you must configure the Firebox at Company B as
a VPN endpoint to complete the BOVPN tunnel between the two devices.
1
From Firebox B Policy Manager, select VPN > Branch Office Tunnels. Select Add to add a new BOVPN tunnel.
The New Tunnel dialog box appears.
2
3
Give the BOVPN tunnel a name. For this example, use AccessToCompanyBserver.
Select the New Phase 2 Proposal icon, as shown in the screenshot above.
The New Gateway dialog box appears.
4
Create a new gateway. For this example, we use these values:
Gateway Name
PartnerCompany
Remote Gateway Settings,
Gateway IP
95.1.1.1
Remote Gateway Settings,
ID Type
95.1.1.1
Local Settings, ID Type
42.1.1.1
Pre-shared key
Sh4redK3y
*Must be same on both VPN
endpoints
Caution
In this example, we keep the default Phase 1 Settings. For mor e information about any of the fields in the New
Gateway dialog box, see http://www.watchguard.com/support/Fireware_HowTo/HowTo_ManualBOVPN.
5
6
Click OK to return to the New Tunnel dialog box.
6
Click Add to add a tunnel policy.
7
In this example, we create a one-way tunnel policy from the trusted network of Company B toIP address of the
Firebox at Company A. This is the IP address applied when DNAT is enabled for the traffic from Company A’s
trusted network. To do this, type these values:
Local
192.168.0.0/24
Remote
95.1.1.1
8
Use the Direction drop-down list to select <--. Do NOT select the DNAT checkbox.
9
Click OK. Save these changes to the Firebox at Company B.
When the Firebox at Company B restarts, the two Fireboxes negotiate a VPN tunnel. The Firebox at Company A will
apply dynamic NAT to all traffic destined for the trusted network of Company B. When this traffic reaches Company
B, it will arrive as traffic that originated on the Firebox A external interface.
SUPPORT:
www.watchguard.com/support
support@watchguard.com
U.S. and Canada +877.232.3531
7
COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.
8