Description:
Unified Firewalls always use the IP address of the first active interface (usually eth0) as the sender address when using an internal service to communicate with a device connected via IKEv2. If the IP address assigned to the first active interface is not included in the VPN rules (e.g. the Internet connection is often set up on eth0), data cannot be sent over the VPN connection and communication is not possible.
In order to enable communications with the external device, the Unified Firewall must mask the packets intended for the external device with an IP address that is included in the VPN rules.
This article describes how to set up masking to the external device and so enable communications again.
Requirements:
- LANCOM R&S®Unified Firewallas of LCOS FX 10.12
- A configured and functional Internet connection on each Unified Firewall
- Functional IKEv2 connection
- Web browser for configuring the Unified Firewall.
The following browsers are supported: - Google Chrome
- Chromium
- Mozilla Firefox
Scenario:
Two Unified Firewalls are interconnected via an IKEv2 connection:
- The local network at the headquarters has the IP address range 192.168.100.0/24.
- The local network at the branch office has the IP address range 192.168.200.0/24 including the IP address 192.168.200.254.
- At the Headquarters, there is a syslog server with the IP address 192.168.100.100.
- The Unified Firewall at the branch office should send its syslog data to the syslog server at the headquarters.
- To enable communications between the Unified Firewall at the branch office and the syslog server, the packets sent to the syslog server must be masked behind the local IP address of the Unified Firewall at the branch office (192.168.200.254).
Procedure:
1) In the menu bar for the desktop objects, click on the icon to create a new network.
2) Modify the following parameters and then click Create:
- Name: Enter a descriptive name for the network object (in this example Unified-Firewall).
- Interface: From the drop-down menu, select the option any. This makes sense because the actual first active interface may be different.
- Network IP: Enter the address 0.0.0/0. This makes sense because the IP address of the first active interface may be assigned dynamically (DHCP or PPPoE).
3) In the menu bar for the desktop objects, click on the icon to create a new host.
4) Modify the following parameters and then click Create:
- Name: Enter a descriptive name for the host object (in this example Syslog-Server).
- Interface: From the drop-down menu, select the option any. This makes sense because the interface that the local network is assigned to (for which VPN rules also exist) can differ between scenarios.
- Network IP: Enter the IP address of the device that the Unified Firewall should communicate with via the VPN tunnel(in this example 192.168.100.100).
5) Change to the menu Desktop → Services → User-defined Services and click on the “+” icon to create a user-defined service.
6) Assign a descriptive name for the service and click on the "+” icon to assign ports and protocols to the service.
7) Use Port From and To to set the port or range of ports, and use Protocols to set the protocol. Then click OK.
For this example we are using UDP port 514 (syslog). You can assign multiple ports and various protocols to a service. |
8) Click on Create.
9) On the desktop, click the network object created in step 2, select the “connection tool”, and click the host object created in step 4.
10) Use the “+” icon to add the user-defined service created in step 7.
11) Under the Options for the service, click None to access the advanced settings.
12) Modify the following parameters and then click OK:
- For NAT, select the option Use Service Specific Settings.
- Set the NAT / Masquerading to the option left-to-right.
- In the NAT Source IP field, enter the IP address of the Unified Firewall in the local network (in this example 192.168.200.254). This IP address must be included in the VPN rules. The Unified Firewall will then use this IP address to mask communication to the device connected via VPN.
13) Click on Create.
14) Finally, implement the changes by clicking Activate.
