1

Fireware How To
VPN
How do I use 1-to-1 NAT through a BOVPN tunnel?
Introduction
When you create a branch office VPN tunnel between two networks that use the same private IP address range, an IP
address conflict occurs. To prevent this, both networks must apply 1-to-1 NAT (Network Address Translation) to the
VPN. This makes the IP addresses on your computers appear to be different from their true IP addresses when traffic
goes through the VPN.
1-to-1 NAT maps one or more IP addresses in one range to a second IP address range of the same size. Each IP
address in the first range maps to one and only one unique IP address in the second range. In this document, we call
the first range the real IP addresses and we call the second range the masqueraded IP addresses.
With 1-to-1 NAT through a BOVPN tunnel, this occurs:
When a computer in your network sends traffic to a computer at the remote network, the Firebox changes the
source IP address of the traffic to an IP address in the masqueraded IP address range. The remote network sees
the masqueraded IP addresses as the source of the traffic.
When a computer at the remote network sends traffic to a computer at your network through the VPN, the
remote office sends the traffic to the masqueraded IP address range. The Firebox changes the destination IP
address to the correct address in the real IP address range and then sends the traffic to the correct destination.
Note
1-to-1 NAT through a VPN affects only the traffic that goes through that VPN. The rules you see in your Policy
Manager at Network > NAT do not affect traffic that goes through a VPN.
Why else would I use 1-to-1 NAT through a VPN?
In addition to the situation described previously, you would also use 1-to-1 NAT through a VPN if the network to
which you want to make a VPN already has a VPN to a network that uses the same private IP addresses you use in
your network.
An IPSec device cannot route traffic to two different remote networks when the two networks use the same private
IP addresses. You do 1-to-1 NAT through the VPN so that the computers in your network appear to have different
(masqueraded) IP addresses. However, unlike the situation described at the beginning of this document, you need to
do NAT only on your side of the VPN instead of both sides.
A similar situation exists when two remote offices use the same private IP addresses and both remote offices want to
make a VPN to your Firebox. In this case, either remote must do NAT through its VPN to your Firebox to resolve the IP
address conflict.
Alternative without using NAT
If your office uses a very common private IP address range such as 192.168.1.x or 192.168.0.x, it is very likely that you
will have a problem with IP address conflicts in the future. These ranges are very common for the home broadband
user and for smaller offices. You might consider changing to a less common address range.
Is there anything I need to know before I start?
This document does not show you all the details of how to set up a Branch Office VPN (BOVPN). For more informa-
tion about how to create a BOVPN tunnel or apply BOVPN tunnel policies, see:
https://www.watchguard.com/support/Fireware_HowTo/HowTo_ManualBOVPN.pdf
You must select a range of IP addresses that your computers show as the source IP addresses when traffic comes
from your network and goes to the remote network through the BOVPN. Consult with the network administrator at
the other network to select a range that does not exist at your network or the remote network.
2
Do not use any of these IP addresses:
Trusted, optional, or external network connected to your Firebox
Secondary network connected to a trusted, optional, or external interface of your Firebox
Routed network configured in your Policy Manager (Network > Routes)
Network to which you already have a BOVPN tunnel
Any virtual IP addresses you use for PPTP or MUVPN
Network that the remote IPSec device can reach through its interfaces, network routes, or VPN routes
Configure the VPN
To illustrate this procedure we use an example in which two companies, Company A and Company B, want to make a
Branch Office VPN between their trusted networks. Both companies use a Firebox running Fireware appliance soft-
ware. Both companies use the same IP addresses for their trusted networks, 192.168.1.0/24.
Each companys Firebox uses 1-to1 NAT through the VPN. Company A sends traffic to Company Bs masqueraded
range and the traffic goes outside Company As local subnet. Also, Company B sends traffic to the masqueraded range
that Company A uses. This solution solves the IP address conflict at both networks.
The two companies agree that:
Company A makes its trusted network appear to come from the 192.168.100.0/24 range when traffic goes
through the VPN. This is Company Bs masqueraded IP address range for this VPN.
Company B makes its trusted network appear to come from the 192.168.200.0/24 range when traffic goes
through the VPN. This is Company Bs masqueraded IP address range for this VPN.
Configure a Branch Office gateway on each Firebox
The first step is to make a gateway that identifies the remote IPSec device. For information about how to make a
Branch Office Gateway for each Firebox, see:
http://www.watchguard.com/support/Fireware_HowTo/HowTo_ManualBOVPN.pdf
When you make the Branch Office gateway, it appears in the list of gateways in your Policy Manager. To see the list of
Gateways, from Policy Manager, select VPN > Branch Office Gateways.
In our example, Company A labels the Gateway for this VPN Company B. Company B labels its Gateway for this VPN
Company A, as shown below.:
Company As list of Gateways. Company Bs list of Gateways.
Configure the VPN
Configure the local Branch Office Tunnel
To add the tunnel to the Firebox at the local network:
1 From Policy Manager select VPN > Branch Office Tunnels.
The Branch Office IPSec Tunnels dialog box appears:
2 Click the Add button.
The New Tunnel dialog box appears:
3 Give the tunnel a descriptive name.
The example uses CompanyB.
4 From the Gateway drop-down list, select the gateway that points to the remote offices IPSec device.
The example uses the gateway called CompanyB.
5 Examine the Phase 2 settings area. Make sure the Phase 2 settings match what the remote office uses for Phase 2.
6 Click the Add button to add the local-remote pair.
The Local-Remote Pair Settings dialog box appears:
4
7 In the Local box, type the real IP address range of the local computers that use this VPN.
Our example uses 192.168.1.0/24.
8 In the Remote box, type the private IP address range that the local computers send traffic to.
In our example, the remote office Company B does 1-to-1 NAT through its VPN. This makes Company Bs computers appear to
come from Company Bs masqueraded range, 192.168.200.0/24. The local computers at Company A send traffic to Company
Bs masqueraded IP address range.
If the remote network does not do NAT through its VPN (as in the descriptions in the Why else would I use 1-to-1 NAT
through a VPN? section), you type the real IP address range in the Remote box.
9 Select the 1:1 NAT check box and type this offices masqueraded IP address range. This is the range of IP
addresses that this Fireboxs computers show as the source IP address when traffic comes from this Firebox and
goes to the other side of the VPN. (Note that the 1:1 NAT check box is not immediately available. It becomes
available after you type a valid host IP address, a valid network IP address, or a valid host IP address range in the
Local box.)
Company A uses 192.168.100.0/24 for its masqueraded IP address range.
The Local-Remote Pair Settings window for Company As Branch Office Tunnel to Company B looks like this when complete:
Note
The number of IP addresses included in the 1:1 NAT box must be exactly the same as the number of IP addresses in
the Local box at the top of this window. For example, if you use a slash to indicate a subnet, the value after the slash
must be the same in the Local box as the value after the slash in the 1:1 NAT box.
10 Click OK.
Policy Manager adds a new policy to the Branch Office VPN tab.
11 Save this configuration to the Firebox.
If you need to do 1-to-1 NAT on your side of the VPN only (as in the descriptions in the Why else would I use 1-to-1
NAT through a VPN? section), you can stop here. The device at the other end of the VPN must configure its VPN to
accept traffic from your masqueraded range.
Configure the remote Branch Office Tunnel
1 Use Step 1 through Step 6 in the previous section to add the tunnel to the remote Fireboxs Policy Manager.
2 In step 4, select the gateway you added to the remote Fireboxs configuration that points to the local Firebox. Be
sure to make the Phase 2 settings match.
After you do Steps 1 through 6, you have a blank Local-Remote Pair Settings dialog box for the remote offices
new tunnel.
3 For Step 7 in the previous section, in the Local box, type the real IP address range of the local computers that use
this VPN.
Our example uses 192.168.1.0/24.
5
SUPPORT:
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
COPYRIGHT 2006 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Tech-
nologies, Inc. in the United States and/or other countries.
4 In the Remote box, type the private IP address range that the computers at the remote office send traffic to.
In our example, Company A does 1-to-1 NAT through its VPN. This makes Company As computers appear to come from
Company As masqueraded range, 192.168.100.0/24. The local computers at Company B send traffic to Company As
masqueraded IP address range.
5 Select the 1:1 NAT check box and type this companys masqueraded IP address range. This is the range of IP
addresses that this Fireboxs computers show as the source IP address when traffic comes from this Firebox and
goes to the other side of the VPN.
]Company B uses 192.168.200.0/24 for its masqueraded IP address range.
The Local-Remote Pair Settings dialog box for Company Bs Branch Office tunnel to Company A looks like this when complete:
6 Click OK.
Policy Manager adds a new policy to the Branch Office VPN tab.
Frequently Asked Questions About This Procedure
Do I need to configure anything at Network > NAT (Network > Firewall NAT in earlier versions)?
No. When you configure 1-to-1 NAT through a VPN, it affects only the traffic that goes through that VPN. The rules
you see in Policy Manager at Network > NAT do not affect traffic that goes through a VPN.
I need to translate all my internal IP addresses to one IP address when traffic goes across the VPN. How do I
do that?
To do this, you must set up dynamic NAT through the VPN. See this article:
https://www.watchguard.com/support/Fireware_Howto/HowTo_UseDNAT_through_BOVPN.pdf
I want to make a VPN to another IPSec device that cannot do NAT over a VPN. The office to which I want to
make a VPN uses the same private IP addresses that I use. What can I do?
In this case, one office or the other office must change their private IP addresses.