Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SNAT DNAT (duplicate subnets) 1

Status
Not open for further replies.
penguin69

penguin69

MIS
May 4, 2004
43
US
I have spun my wheels all I can on this, and I really need some help. I am not even going to bother typing where I am, because I think I am so lost it is not even funny.

Here is what I have...

10.1.0.0/16
10.188.136.0/22

Both are internal vlans that are routable to each other. My Linux box sits on 10.1.20.27 and its route to get to the 10.188.136.0 is 10.1.22.39.

I need to build a VPN tunnel to a remote network. I have this part working. Problem is, we have overlapping address schemes. So they have assigned me to use 172.30.6.32/29 via NAT, more specifically I am going to use 172.30.6.33 for my side. The server I am trying to connect them to is 10.188.136.160. The destination that this machine has to be able to send to is 10.1.123.240, on their network. (this address is a usable address on my network, hence the second need for NAT)

So what I need to be able to do is this...

Be able to send data from 10.188.136.160 to the remote 10.1.123.240. 10.188.136.160 default routes to 10.188.136.1, which routes to 10.1.20.27 (my Linux box which already has the tunnel up and running)

Can someone please guide me through this. I have read every scrap of material I can get my eyes on, but I am just not understanding something.
 
Sort by date Sort by votes
In order to give you a more detailed reply, I will need to more fully read through the IP maize you describe. However, at first glance, the conflicting address ranges sounds like it is a real problem and this can keep you from being able to connect.

Remember, that addresses in the 10. range will not default to a public route, so you will need to join them via a VPN tunnel. Having established a tunnel, your routing table needs to be configured with the device (your VPN device) that knows how to route traffic there.

I think you have problem where the address range is designated as belonging to multiple adapters with different routing domains: one local, one virtual. As a result, traffic will get lost as there is no way to distinguish whether it should go to the VPN or to the local LAN.

 
Upvote 0 Downvote
I probably could have done a better job to explain all of this. I was in a bit of a hurry to explain all of this.

Firewall address - 10.1.20.27
Local LANs - 10.1.0.0/16 & 10.188.136.0/22

Current VPN tunnel is established to remote network.
Tunnel - Local 172.30.6.33/32 ---> Remote 10.1.123.240/32

As you can see, they have assigned me to NAT my address. I have already built my tunnel and it is up and connected. Obviously no data is passing because of all of the addressing concerns.

Best I can tell, I need to build a dummy interface on the firewall using the address scheme 172.30.6.33. This would make the address a valid address, making it visible to the remote network over the tunnel, right? They actually gave me an entire range, 172.30.6.32/29, so if I need extras to build a default route, I can do that as well.

Assuming what I am thinking is correct about the dummy interface, my next thought would be to use iptables DNAT and SNAT to redirect the source address and destination addresses two and from the remote network using the 172.30.6.32 address from the firewall.

Basically telling iptables to take anything from the remote 10.1.123.240/32 and readdress the source address to 172.30.6.33 and send it to the destination on the network, 10.188.136.160.

Next I would have to build another SNAT/DNAT to accept connections on the firewall address 172.30.6.33 from my internal host 10.188.136.160. iptables would have to readdress the source address as 172.30.6.32 and readdress the destination address as 10.1.123.240 over the IPSec tunnel.

I realize I would probably have to build a route on the firewall for the 10.1.123.240/32 because the firewall would get confused and think that the address is on the local lan. How would I do that as well? I have the interface ipsec0, so I am assuming I would just build the route for 10.1.123.240/32 dest to dev interface ipsec0?

Thanks for any and all help. I am very comfortable with tunnels and routing, but this who DNAT and SNAT with duplicate networks is just a little over my head. I am anxious to learn though, and think this is extremely interesting to build and learn from.

Ken

 
Upvote 0 Downvote
I was able to resolve the issue. Here are the lines of code I used to accomplish this, and allow me to establish a VPN connection to a remote site that used a duplicate address scheme/range.

This line is to create a new adapter, or new interface. I am using the lo, which is the loopback adapter. I used my own made up address, but feel free to use your own.
Code: 
ifconfig lo:1 172.30.6.33 netmask 255.255.255.255

Code: 
iptables -t nat -A PREROUTING -d 172.30.6.33/32 -p tcp --dport 7050 -j DNAT --to <Remote IP Address>

Code: 
iptables -t nat -A POSTROUTING -d <Remote IP Address> -s <Internal IP Address sending data> -p tcp --dport 7050 -j SNAT --to 172.30.6.33

After creating these rules, I just built a tunnel in OpenSWAN. The local subnet was 172.30.6.33/32 and the remote subnet was <Remote IP Address>/32. As you can see, I set this up for port 7050, but you can use your own port, or I believe you can use a range by specifying 7050-7060...

I hope this helps someone, as I was desperate for a solution, and I couldn't find anyone that has posted and documentation on how to do this. I read documentation on OpenSwan and FreeSwan and they both specified that you had to have separately numbered networks, and they could not have an overlap in IP address ranges. Example, both using 192.168.1.0/255.255.255.0. By using this technique, I was able to do just that, and to them, I appeared as a complete different address. To me, they appeared as this bogus address as well, making it very nice.

The best part is, I feel more secure than just a wide open tunnel. Before I would have just had a wide open tunnel to that internal IP address. But now I am using SNAT and DNAT and am only forwarding packets that are the right ports. All other traffic will be dropped at the VPN server.

If this does help, please mark it at the bottom!

Good luck!
 
Upvote 0 Downvote
I am giving you a star, both for posting the solution you discovered and for the creativity of your solution. Creating an alias loop back interface and then creating a NAT bridge on it - really good thinking!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

krusely
  • Locked
  • Question
100 - ISAM error: duplicate value for a record with unique key
Replies
1
Views
139
ChrisHirst
ChrisHirst
turbohoss
  • Locked
  • Question
more on SNAT DNAT (duplicate subnets)
Replies
0
Views
34
turbohoss
turbohoss
bazil2
  • Locked
  • Question
Use of the DD programme to duplicate tape media 2
Replies
9
Views
107
khalidaaa
khalidaaa
rob51383
  • Locked
  • Question
centos iptables dnat connection refused only in local network
Replies
1
Views
53
rob51383
rob51383
learninglinux
  • Locked
  • Question
how to use iptables preroute to DNAT
Replies
1
Views
46
IRudebwoy
IRudebwoy

Part and Inventory Search

Sponsor

Back
Top