Jump to:navigation, search
Wiki

NETMAP

From Securepoint Wiki



























































































































De.png
En.png
Fr.png






Connecting VPN networks to the same broadcast domains (IP ranges)
Last adaption: 04.2023 (v.12.3.6)
New:
Last updated: 
09.2023
  • Correction zone for network object netmap_localnet
notempty
This article refers to a Resellerpreview

11.8.7 11.7

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 (1.)→ Firewall →Portfilter (2.)→ VPN →IPSec

Introduction

If the same subnets are used on both sides of a VPN connection, it is normally not possible to set up this connection.
In addition, it can happen that the same networks are set up behind different remote peers.
With the NAT type NETMAP and auxiliary networks (map network) that are not set up on any of the remote peers to be connected, these connections can still be set up without completely changing the subnet on one of the sides.

  • A NETMAP is always only an auxiliary solution if none of the networks involved can be converted to another network with reasonable effort.
  • It should be avoided to use NETMAP configurations in the head office for more than one remote station.


    • NATing complete subnets with NETMAP

    Open → Firewall →PortfilterTab Network objects.

    Preparations

    Convert network object to address

     Head office &  Branch office

    notempty

    To use the NETMAP function the following conditions have to be observed:

  • The subnets of the objects involved in NETMAP must all have the same size, for example all /24.
  • notempty
    All objects involved must have entered a defined network IP address. So no interfaces may be selected'.

    No interfaces may be selected to define the network object.
    The network object of the internal network must be checked and, if necessary, the network IP of the internal network to be mapped must be entered as target:.
    In this example, the network 172.16.3.0/24 is used on both sides.


    • Initial conditions

    Head office and branch have the same subnetwork

    Datei:Netmap sz1-en.png

    In this case, the mapping must be set up on both sides of the connection.

    Local network Public IP Netmap
    Head office: 172.16.3.0/24 192.0.2.192 10.0.1.0/24
    Branch office: 172.16.3.0/24 192.0.2.193 10.0.2.0/24

  • If a local network IP is specified for the branch with which it connects to the tunnel to the head office, this must be used as the netmap IP.


    • The connection is to be established via IPSec.



    Create VPN connection

     Head office

     Head office Step 4 with remote map network of the branch office
     Head office Step 3 with local map network of the head office

    Create an IPSec site to site VPN connection, as described in the Wiki in the → VPN →IPSec menu with the Add IPSec connection button.

  • In step 3, the local map network of the head office must be released.
    Here »10.0.1.0/24
  • In step 4, the public IP of the branch is required as Remote Gateway:
    and the remote map network of the branch is required as the shared network.
    Here»10.0.2.0/24 (Replace with default network IP for the branch, if necessary.)

    •  Branch office
     Branch office Step 4 with remote map network of the head office
     Branch office Accessibility of hosts of the remote station

    Create an IPSec site to site VPN connection, as described in the Wiki in the → VPN →IPSec menu with the Add IPSec connection button.

  • In step 3, the local map network of the head office must be released.
    Here »10.0.2.0/24 (Replace with default network IP for the branch, if necessary.)
  • In step 4, the public IP of the head office is required as Remote Gateway:
    and the remote mapnetwork of the head office is required as the shared network.
    Here »10.0.1.0/24



    • Create network objects for transfer net

    Network object in the central office for your own network (Mapnet Local)
    Network object in the head office for the branch network (Mapnet Remote)

    Two network objects must be created in the head office with networks that are neither set up in the head office nor in the branch office.
     Head office
    → Firewall →PortfilterTab Network Objects Button Add Object

    • The network object for the (remote) Branch MapNet must be of Type Network (Address).
  • For IPSec-connections, the network object for the transfer net must be in the Zone external
  • When creating a SSL-VPN connection a zone VPN-SSL-Connection name is established.
    The network object must then be created with this zone.

    • In our example, the network object receives the network address 10.0.2.0/24


    The network object for the (own) Mapnet of the central office must be located in the zone of the internal network and is given the network address 10.0.1.0/24 in our example.


    Network object in the branch for the own network
    Network object in the branch for the network of the head office.

     Branch office
    Two network objects are also created on the branch side.
    There is the network 10.0.1.0/24, the map network of the central office located in the Zone external and the network 10.0.2.0/24, the map network of the branch office created with the zone of the internal network internal.



    Create a NETMAP rule

    Port filter rules must be created on each side to perform the mapping.

    NETMAP port filter rule
     The mapnet cannot be selected as a network object if it is still associated with an interface instead of an IP address.
     Head office On the side of the  Head office for outgoing mapping
    Source: Network.svg internal network
    Destination: Network.svg netmap_remotenet_branch1 Map network of the branch
    Service: Other.svg any Exceptionally, an any rule makes sense here
    Action Accept
    [–] NAT
     Type    		 NETMAP
    Network.svg netmap_localnet Map network of the head office
    Service: Other.svg any Exceptionally, an any rule makes sense here
    On the side of the  Head office for incoming mapping
    Source: Network.svg netmap_remotenet_branch1 Map network of the branch
    Destination: Network.svg internal network
    Service: Other.svg any Exceptionally, an any rule makes sense here
    Action Accept
    [–] NAT
     Type    		 notempty
    No NAT of the type NETMAP is needed for this anymore
     Branch office On the side of the  Branch office for outgoing mapping
    Source: Network.svg internal network
    Destination: Network.svg netmap_remotenet_Headoffice Map network of the head office
    Service: Other.svg any Exceptionally, an any rule makes sense here
    [–] NAT
     Type    		 NETMAP
    Network.svg netmap_localnet Map network of the branch
    On the side of the  Branch office for incoming mapping
    Source: Network.svg netmap_remotenet_Headoffice Map network of the head office
    Destination: Network.svg internal network
    Service: Other.svg any Exceptionally, an any rule makes sense here
    [–] NAT
     Type    		 notempty
    No NAT of the type NETMAP is needed for this anymore


    Port filter rules

    In addition to the netmap rules, other rules are needed to allow traffic between the respective local network and the respective remote network.
    Two options are available:

    Implied Rules
    IPSec section in the implied rules

     Head office &  each branch
    Menu → Firewall →Implied rules → Group IpsecTraffic} → Rule Accept On
    In this case rules are created in the background, which allow all services for all computers on both sides. (Default)



    Dedicated port filter rules

    notempty

    Recommended


    Custom port filter rules that only allow services that are needed.
    To do this, the IpsecTraffic Accept option in the → Firewall →Implicit Rules-menu, section IpsecTraffic is to be disabled Off and port filter rules are created manually.
    The example assumes that server access from the branch to the head office is required.

    A network object is required on each side for the respective remote VPN network
    UTM v12.2.3 Netzwerkobjekt Zentrale ipsec remotenet-en.png
    Network object in the  Head office for the VPN network
    Settings for the network object
    Type: VPN-Network

    Address: 10.0.2.0/24 Network IP of the branch's transfer network

    Zone: vpn-ipsec

    UTM v12.2.3 Netzwerkobjekt Zentrale ipsec remotenet Zentrale-en.png
    Network object in the  Branch office for the VPN network
    Settings for the network object
    Type: VPN-Network

    Address: 10.0.1.0/24 Network IP of the head office transfer network

    Zone: vpn-ipsec














    notempty
    A connection is required for each branch.

    notempty
    No NAT of the type NETMAP is needed for this anymore
    		UTM v12.2.3 Firewall Portfilter Netmap ipsec-Regel Zentrale-en.png
    Port filter rule head office for inbound IPSec VPN
    If the branch is also to be accessed from the head office, additional rules are required accordingly (e.g. in order to be able to establish VoIP connections).


     Head office Overview of port filter rules # Source: Destination: Service: NAT Action Active
    Netmap rule in head office, to map the own local network Dragndrop.png 4 Network.svg internal network Network.svg netmap_remotenet_branch1 Other.svg any NM Accept On
    Netmap rule in head office, to map the network of the branch Dragndrop.png 5 Network.svg netmap_remotenet_branch1 Network.svg internal network Other.svg any Accept On
    Incoming network traffic at branch head office (Exemplary port filter rule) Dragndrop.png 6 Vpn-network.svg ipsec_remotenet_Branch office1 Network.svg internal network Tcp.svg ms-rdp Accept On

     Branch office Overview of port filter rules # Source: Destination: Service: NAT Action Active
    Netmap rule in branch, to map the own local network Dragndrop.png 4 Network.svg internal network Network.svg netmap_remotenet_headoffice Other.svg any NM Accept On
    Netmap rule in branch, to map the network of the head office Dragndrop.png 5 Network.svg netmap_remotenet_headoffice Network.svg internal network Other.svg any Accept On
    Outbound network traffic in the branch to the head office (Exemplary port filter rule) Dragndrop.png 6 Network.svg internal-network Vpn-network.svg ipsec_remotenet_Zentrale Tcp.svg ms-rdp Accept On


    Accessibility of hosts of the remote station

    A host with the IP address 172.16.3.10 in the branch is addressed from the head office with the IP address 10.0.2.10.(Required rule is not shown in the example!)
    A host with the IP address 172.16.3.120 in the head office is addressed from the branch office with the IP address 10.0.1.120.

    Several branches have an identical subnetwork

    Datei:Netmap sz2-en.png
    Local network Public IP Netmap
    172.16.0.0/24 192.0.2.192 not required
    Branch office 1: 172.16.3.0/24 192.0.2.193 not required
    Branch office 2: 172.16.3.0/24 192.0.2.194 10.0.1.0/24


    Mapping is only set up on branches that use the same network as already has been set up on a VPN connection. No mapping is required in the head office if the internal network of the head office differs from that of the branches. One existing network can also be used without mapping in a branch.

  • It should be avoided to use NETMAP configurations in the head office for more than one remote station.



    • Create VPN connection

    Step 4 with Remote Net
    Step 3 in  Branch 2 with local Mapnet

    Create an IPSec site to site VPN connection, as described in the Wiki in the → VPN →IPSec menu with the Add IPSec connection button.


     Branch office 1 not depicted

    • Branch1 retains its original local network:
  • In step 3, the local network (without mapping) must be released.
    In the example:

    •  Branch office 2 (and other branches, if applicable)

  • In step 3 the local Mapnet must be released.
    In the example: »10.0.1.0/24


    •  each branch

  • In step 4, the direct remote network of the head office (without mapping) is released.
    In the example: »172.16.0.0/24


    •  Head office

  • A connection is required for each branch.
    • In step 3, the local network must be released.
      In the example: »172.16.0.0/24
    • In step 4, the mapped remote network of the corresponding branch is released.
      In the example: »10.0.1.0/24



    Create network objects

    Network object in branch 2 for your own map network (local). Branch 2 is mapped like this for the head office.
    Network object in Branch 2 for the network of the head office

    In  Branch 2 (and in any other branch that uses a local network also used elsewhere) a network object is needed for the central office in the zone external

    is needed, which can be used to perform the mapping.

    In addition, a second network object is created for the local network of the respective branch, which is mapped.
    The network object for the map network in the branch must be located in the zone of the internal network internal and gets the network IP 10.0.1.0/24 in this example.
    (Further branches receive another Mapnet in this place!)

  • The Mapnet may not be used in the branch, in the head office, or on any of the other branches connected to the head office via VPN connections.



    • Create a NETMAP rule

    NETMAP Port filter rule

    Port filter rules in branch 2

     Branch office 2 On the side of the  Branch office 2 for outgoing mapping
    Source: Network.svg internal network
    Destination: Network.svg netmap_remotenet_headoffice
    Service: Other.svg any Exceptionally, an any rule makes sense here
    Action Accept
    [–] NAT
     Type    		 NETMAP
    Network.svg netmap_localnet_branch2
    Service: Other.svg any Exceptionally, an any rule makes sense here



    Port filter rules

    In addition to the netmap rules, other rules are needed to allow traffic between the respective local network and the respective remote network.

    Two options are available:


    Implied Rules
    IPSec section in the implied rules

     Head office &  each branch
    Menu → Firewall →Implied rules → Group IpsecTraffic} → Rule Accept On
    In this case rules are created in the background, which allow all services for all computers on both sides. (Default)



    Dedicated port filter rules

    notempty

    Recommended

    Custom port filter rules that only allow services that are needed.
    To do this, the IpsecTraffic Accept option in the → Firewall →Implicit Rules-menu, section IpsecTraffic is to be disabled Off and port filter rules are created manually.
    The example assumes that server access from the branch to the head office is required.

    A network object is required on each side for the respective remote VPN network
    UTM v12.2.3 Netzwerkobjekt Zentrale ipsec remotenet Filiale2-en.png
    Network object for the branch2 in the  Head office
    Settings for the network object
    Type: VPN-Network

    Address: 10.0.2.0/24Network IP of the local network of branch2

    Zone: vpn-ipsec

    UTM v12.2.3 Netzwerkobjekt Filiale ipsec remotenet Zentrale2-en.png
    Network object for the head office in  Branch2
    Settings for the network object
    Type: VPN-Network

    Address: 172.16.0.0/24Network IP of the local network of the head office

    Zone: vpn-ipsec















     Head office Overview of port filter rules # Source: Destination: Service: NAT Action Active
    Incoming network traffic at branch head office1 (Exemplary port filter rule) Dragndrop.png 4 Vpn-network.svg ipsec_remotenet_Branch office1 Network.svg internal network Tcp.svg ms-rdp Accept On
    Incoming network traffic at branch head office2 (Exemplary port filter rule) Dragndrop.png 5 Vpn-network.svg ipsec_remotenet_Branch office2 Network.svg internal network Tcp.svg ms-rdp Accept On

     Branch office1 Overview of port filter rules # Source: Destination: Service: NAT Action Active
    Outbound network traffic in the branch1 to the head office (Exemplary port filter rule) Dragndrop.png 5 Network.svg internal-network Vpn-network.svg ipsec_remotenet_Zentrale Tcp.svg ms-rdp Accept On

     Branch office2 Overview of port filter rules # Source: Destination: Service: NAT Action Active
    Netmap rule in branch2, to map the own local network Dragndrop.png 4 Network.svg internal network Network.svg netmap_remotenet_headoffice Other.svg any NM Accept On
    Outbound network traffic in the branch2 to the head office (Exemplary port filter rule) Dragndrop.png 5 Network.svg internal-network Vpn-network.svg ipsec_remotenet_Zentrale Tcp.svg ms-rdp Accept On


    Accessibility of hosts of the remote station

    A host with the IP address 172.16.3.10 in branch 1 is addressed from the head office with exactly this IP address (172.1.6.3.10).
    A host with the IP address 172.16.3.10 in branch 2 is addressed from the head office with the mapped IP address 10.0.1.10.
    A host with the IP address 172.16.0.120 in head office is addressed from the branch office with the IP address 172.16.0.120.


    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/Netmap&oldid=87642"