×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

SNAT DNAT (duplicate subnets)

SNAT DNAT (duplicate subnets)

SNAT DNAT (duplicate subnets)

(OP)
I have spun my wheels all I can on this, and I really need some help.  I am not even going to bother typing where I am, because I think I am so lost it is not even funny.

Here is what I have...

10.1.0.0/16
10.188.136.0/22

Both are internal vlans that are routable to each other.  My Linux box sits on 10.1.20.27 and its route to get to the 10.188.136.0 is 10.1.22.39.

I need to build a VPN tunnel to a remote network.  I have this part working.  Problem is, we have overlapping address schemes.  So they have assigned me to use 172.30.6.32/29 via NAT, more specifically I am going to use 172.30.6.33 for my side.  The server I am trying to connect them to is 10.188.136.160.  The destination that this machine has to be able to send to is 10.1.123.240, on their network.  (this address is a usable address on my network, hence the second need for NAT)

So what I need to be able to do is this...

Be able to send data from 10.188.136.160 to the remote 10.1.123.240.  10.188.136.160 default routes to 10.188.136.1, which routes to 10.1.20.27 (my Linux box which already has the tunnel up and running)

Can someone please guide me through this.  I have read every scrap of material I can get my eyes on, but I am just not understanding something.

RE: SNAT DNAT (duplicate subnets)

In order to give you a more detailed reply, I will need to more fully read through the IP maize you describe.  However, at first glance, the conflicting address ranges sounds like it is a real problem and this can keep you from being able to connect.

Remember, that addresses in the 10. range will not default to a public route, so you will need to join them via a VPN tunnel.  Having established a tunnel, your routing table needs to be configured with the device (your VPN device) that knows how to route traffic there.  

I think you have  problem where the address range is designated as belonging to multiple adapters with different routing domains: one local, one virtual.  As a result, traffic will get lost as there is no way to distinguish whether it should go to the VPN or to the local LAN.

 

RE: SNAT DNAT (duplicate subnets)

(OP)
I probably could have done a better job to explain all of this.  I was in a bit of a hurry to explain all of this.

Firewall address - 10.1.20.27
Local LANs - 10.1.0.0/16 & 10.188.136.0/22

Current VPN tunnel is established to remote network.
Tunnel - Local 172.30.6.33/32 ---> Remote 10.1.123.240/32

As you can see, they have assigned me to NAT my address.  I have already built my tunnel and it is up and connected.  Obviously no data is passing because of all of the addressing concerns.

Best I can tell, I need to build a dummy interface on the firewall using the address scheme 172.30.6.33.  This would make the address a valid address, making it visible to the remote network over the tunnel, right?  They actually gave me an entire range, 172.30.6.32/29, so if I need extras to build a default route, I can do that as well.

Assuming what I am thinking is correct about the dummy interface, my next thought would be to use iptables DNAT and SNAT to redirect the source address and destination addresses two and from the remote network using the 172.30.6.32 address from the firewall.

Basically telling iptables to take anything from the remote 10.1.123.240/32 and readdress the source address to 172.30.6.33 and send it to the destination on the network, 10.188.136.160.

Next I would have to build another SNAT/DNAT to accept connections on the firewall address 172.30.6.33 from my internal host 10.188.136.160.  iptables would have to readdress the source address as 172.30.6.32 and readdress the destination address as 10.1.123.240 over the IPSec tunnel.

I realize I would probably have to build a route on the firewall for the 10.1.123.240/32 because the firewall would get confused and think that the address is on the local lan.  How would I do that as well?  I have the interface ipsec0, so I am assuming I would just build the route for 10.1.123.240/32 dest to dev interface ipsec0?

Thanks for any and all help.  I am very comfortable with tunnels and routing, but this who DNAT and SNAT with duplicate networks is just a little over my head.  I am anxious to learn though, and think this is extremely interesting to build and learn from.

Ken

 

RE: SNAT DNAT (duplicate subnets)

(OP)
bump

RE: SNAT DNAT (duplicate subnets)

(OP)
I was able to resolve the issue.  Here are the lines of code I used to accomplish this, and allow me to establish a VPN connection to a remote site that used a duplicate address scheme/range.

This line is to create a new adapter, or new interface.  I am using the lo, which is the loopback adapter.  I used my own made up address, but feel free to use your own.

CODE

ifconfig lo:1 172.30.6.33 netmask 255.255.255.255

CODE

iptables -t nat -A PREROUTING -d 172.30.6.33/32 -p tcp --dport 7050 -j DNAT --to <Remote IP Address>

CODE

iptables -t nat -A POSTROUTING -d <Remote IP Address> -s <Internal IP Address sending data> -p tcp --dport 7050 -j SNAT --to 172.30.6.33

After creating these rules, I just built a tunnel in OpenSWAN.  The local subnet was 172.30.6.33/32 and the remote subnet was <Remote IP Address>/32.  As you can see, I set this up for port 7050, but you can use your own port, or I believe you can use a range by specifying 7050-7060...

I hope this helps someone, as I was desperate for a solution, and I couldn't find anyone that has posted and documentation on how to do this.  I read documentation on OpenSwan and FreeSwan and they both specified that you had to have separately numbered networks, and they could not have an overlap in IP address ranges.  Example, both using 192.168.1.0/255.255.255.0.  By using this technique, I was able to do just that, and to them, I appeared as a complete different address.  To me, they appeared as this bogus address as well, making it very nice.

The best part is, I feel more secure than just a wide open tunnel.  Before I would have just had a wide open tunnel to that internal IP address.  But now I am using SNAT and DNAT and am only forwarding packets that are the right ports.  All other traffic will be dropped at the VPN server.

If this does help, please mark it at the bottom!

Good luck!

RE: SNAT DNAT (duplicate subnets)

I am giving you a star, both for posting the solution you discovered and for the creativity of your solution.  Creating an alias loop back interface and then creating a NAT bridge on it - really good thinking!
 

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close