1

I'm trying to set up an IPsec connection between two sites: our Azure network and our client's local network. To be flexible and avoid any current or potential future IP range overlappings I wand to "NAT away" some networks of one (or both) sides of the tunnel. Unfortunately, sometimes these overlappings cannot be avoided since we cannot force our clients to change their network configuration.

To make it a bit more complex, I want to be able to NAT only some of the devices in certain networks, not the network as a whole. This gives the maximum flexibility as some of our clients can't or don't want to reserve a network of equal size as we use and they only need access to certain devices/computers. I.e. it's probably not necessary for them to access the database server, the web servers are enough.

Here's an example:
(Site A would be us, Site B is a client)

Example of network topology How can this "NAT magic" happen? We are using an OPNsense appliance in Azure as the resources our clients need to access are there.

Can I do this on the OPNsense, where the IPsec tunnel is configured or do I need a second device for that?

Thanks for any hint!

Arjen
  • 11
  • 2
  • Not an answer but sound advice: *renumber* duplicate IP ranges. It may be some pain but there's an end to it, unlike double source & destination NAT... – Zac67 Aug 15 '19 at 13:56
  • 1
    NAT is to be avoided if at all possible. You should properly address the various sites so that there are no overlapping networks. Companies that merge face this problem, and they can _temporarily_ use outside source NAT (different than the usual inside source NAT), but they will readdress to correct the situation as soon as possible. See [this answer](https://networkengineering.stackexchange.com/a/41669/8499) for an explanation. – Ron Maupin Aug 15 '19 at 13:57
  • The problem is, that we cannot control all networks we have connections with as they are our customers. I am aware that it would be nicer to avoid duplications, but I think, we cannot avoid it at a certain point. Additionally, we sometimes have quite large networks defined on our end and the clients cannot or do not want to map such big networks. – Arjen Aug 15 '19 at 14:37
  • 1
    If they are customers, then perhaps the Shared address space is more appropriate for you than Private address space. You really do not want to set up the NAT as a permanent solution. – Ron Maupin Aug 15 '19 at 14:47

0 Answers0