Feature #9230
closed
The ability to port forward across an IPSEC site to site vpn
0%
Description
In my environment, have a 7100 in a colo, and it is attached to a remote office via a site-to-site ipsec vpn link.
In the office, I have a mailserver, and I wish to allow traffic to flow to that mail server across the vpn link. Here is a very simple diagram:
internet -> colo firewall -> ipsec vpn link -> office firewall -> lan -> mailserver
Ideally, I'd like this to function as a 1:1 nat, as though it would without the ipsec link, so that all traffic into and out of that mailserver goes over a dedicated IP at the colo. It seems like it would work, so I tried it and the traffic wouldn't flow. I asked support about it, and they said that it was unsupported.
This is fairly high priority for us, as due to an unanticipated network change we've been forced to adopt this architecture, and this mail server is down until we can sort out how to get mail to flow to it.
Updated by Dan Tentler about 6 years ago
I should mention both firewalls are 7100s. Same model. Colo firewall has upgraded ram and 10gig copper.
Updated by Jim Pingle about 6 years ago
- Status changed from New to Closed
- Priority changed from High to Normal
With tunneled IPsec if you use 0.0.0.0/0 as the remote on IPsec this can work, but it's not ideal. All traffic will be forwarded over IPsec to the side with 0.0.0.0/0 Beyond that it's an IPsec tunnel limitation and not something we can control.
VTI gets closer but again, due to OS limitations, NAT does not currently function with pf and IPsec VTI.
Since these are inherent in IPsec and the OS, there isn't anything we can do, thus not worth keeping a bug report open for it.
Updated by Dan Tentler about 6 years ago
The configuration in the office is already set to do 0.0.0.0/0 routing (all traffic from the office is tunneled out via the ipsec link). Is there something I can try beyond the standard nat configs at the colo firewall?