3/9/2023 0 Comments Mcafee vpn nat traversalWhen the web server's traffic is sent to 10.15.30.18 and received by it's local MX, it will be routed to the appropriate remote MX. In this example, response traffic from the web server must be sent to the client using a destination IP address of 10.15.30.18. If 1:M NAT for VPN is configured, the translated subnet (10.15.30.18 in this example) will automatically be advertised to all remote site-to-site VPN participants. When the example client's traffic egresses the site-to-site VPN, it will have an IP address of 10.15.30.18. The MX will then map the source IP address to the IP address specified in the VPN subnet. ![]() When 192.168.128.44 attempts to send traffic to the web server across the VPN, the source IP address is evaluated to be contained within the local subnet of 192.168.128.0/24, which requires a translation to be performed. When 1:M NAT for site-to-site VPN is configured, the MX will check the source IP address against a address translation table. To conserve IP space across the site-to-site VPN, 192.168.128.0/24 has been configured to be translated to 10.15.30.18.The 192.168.128.0/24 subnet is allowed in the site-to-site VPN.When the web server's traffic is sent to 10.15.30.44 and received by it's local MX, it will be routed to the appropriate remote MX and the destination IP address will be translated back to 192.168.128.44 before it egresses the MX's LAN. In this example, in order for the web server at 172.16.30.8 to communicate with the example client, traffic must be sent to 10.15.30.44 (the equivalent IP offset within the translated subnet). If VPN subnet translation is configured, the translated subnet will automatically be advertised to all remote site-to-site VPN participants. When the example client's traffic egresses the site-to-site VPN, it will have an IP address of 10.15.30.44. The MX will then map the client's IP to the equivalent IP in the translated subnet. When VPN subnet translation is configured, the MX will check the source IP address against a address translation table. ![]() ![]() This MX is a part of the site-to-site VPN. The web server is also connected locally to another MX security appliance.A host on the corporate VLAN with an IP address of 192.168.128.44 is communicating with a web server across the site-to-site VPN with an address of 172.16.30.8.To avoid address and routing conflicts across the site-to-site VPN, 192.168.128.0/24 has been configured to be translated to 10.15.30.0/24.The devices and users in this subnet at both locations need to access resources across a site-to-site VPN connection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |