NETMAP

Connecting VPN networks to the same broadcast domains (IP ranges)

Last adaptation to the version: 11.8.7

Changes

• Zone of remote network corrected
• layout adjustment

Previous versions: 11.7

If the same subnets are used on both sides of a VPN connection, it is normally not possible to set up this connection.
In addition, it can happen that the same networks are set up behind different remote peers.
With the NAT type NETMAP and auxiliary networks (map network) that are not set up on any of the remote peers to be connected, these connections can still be set up without completely changing the subnet on one of the sides.

NATing complete subnets with NETMAP

Preparation

Convert network object to address

 Head office &  Branch office
To use the NETMAP function the following conditions have to be observed:

• The subnets of the objects involved in NETMAP must all have the same size, for example all /24.

• All objects involved must have entered a defined network IP address. So no interfaces may be selected'.
  

Check the network object of the internal network and if necessary change to Address by activating the radio button before Address and entering the network address with the corresponding subnet mask in the field. In this example we have the network 172.16.3.0/24 on both sides.

Initial conditions

Head office and branch have the same subnetwork

In this case, the mapping must be set up on both sides of the connection.

The connection is to be established via IPSec.

Create network objects

Network object in the central office for your own network (Mapnet Local)

Network object in the head office for the branch network (Mapnetz Remote)

Two network objects must be created in the head office with networks that are neither set up in the head office nor in the branch office.
 Head office
→ Firewall →Port Filter → Network Objects → Add Object

The network object for the (remote) Branch MapNet must be of Type Network (Address).

For IPSec-connections, the network object must be in the Zone external.

For SSL VPN connections, a connection must be created first.
This creates a zone VPN-SSL-Connection name.
The network object must then be created with this zone.

In our example, the network object receives the network address 10.0.2.0/24

The network object for the (own) Mapnet of the central office must be located in the zone of the internal network and is given the network address 10.0.1.0/24 in our example.

Network object in the branch for the own network

Network object in the branch for the network of the head office.

 Branch office
Two network objects are also created on the branch side.
There is the network 10.0.1.0/24, the map network of the central office located in the Zone external and the network 10.0.2.0/24, the map network of the branch office created with the zone of the internal network internal.

Creating a NETMAP Rule

NETMAP Port Filter Rule

Port filter rules must be created on each page, depending on the usage scenario.

Create VPN connection

 Head office

 Head office Step 4 with remote map network of the branch office

 Head office Step 3 with local map network of the Head Office

Create an IPSec site to site VPN connection, as described in the Wiki in the → VPN →IPSec menu with the + Add IPSec connection button.

• In step 3, the local map network must be released.
• in step 4 the remote Mapnet.

 Branch office

 Branch office Step 4 with remote map network of the head office

 Branch office Accessibility of hosts of the remote station

Create an IPSec site to site VPN connection, as described in the Wiki in the → VPN →IPSec menu with the + Add IPSec connection button.

• In step 3, the local map network must be released.
• in step 4 the remote Mapnet.

Accessibility of hosts of the remote station

A host with the IP address 172.16.3.10 in the branch is addressed from the head office with the IP address 10.0.2.10.
A host with the IP address 172.16.3.120 in the head office is addressed from the branch office with the IP address 10.0.1.120.

Several branches have an identical subnetwork

Initial conditions

Mapping is only set up on branches that use the same network as already has been set up on a VPN connection. No mapping is required in the head office if the internal network of the head office differs from that of the branches. One existing network can also be used without mapping in a branch.

Create network objects

Network object in the branches for the network of the head office. The subnet of the head office can be used directly.

In  Branch office 1 (and in any other branch that uses an otherwise unused subnet) an IPSec network object is set up for the head office.
The network object for the network of the remote terminal must be located in the zone vpn-ipsec. In our example, it has the network address 172.16.0.0/24.

Network object in branch 2 for your own map network (local). Branch 2 is mapped like this for the head office.

Network object in Branch 2 for the network of the head office

In the  Branch office 2 (and in each additional branch that uses an already used subnet), a second network object is created for its own subnet, which is mapped.

The Mapnet must not be used in the branch, in the head office, or in any of the other branches that are connected to the head office via VPN connections.
The network object for the map network in the branch office must be located in the zone of the internal network and in our example is given the network address 10.0.1.0/24. (Other branches get a different Mapnet at this point!)

Creating a NETMAP Rule

NETMAP Port Filter Rule

Port filter rules in branch 2 (and in any other branch that uses an already used subnet)

Create VPN connection

Step 4 with Remote Net

Step 3 in  Branch 2 with local Mapnet

Create an IPSec site to site VPN connection, as described in the Wiki in the → VPN →IPSec menu with the + Add IPSec connection button.

 Branch office 1

• In step 3, the local network (without mapping) must be released.
  In the example:» ✕172.16.3.0/24
  
  

 Branch office 2 (and other stores, if applicable)

• In step 3 the local Mapnet must be released.
  In the example: » ✕10.0.1.0/24
  
  

 each branch

• In step 4, the direct remote network of the head office (without mapping) is released.
  In the example: » ✕172.16.0.0/24
  
  

 Head office

• A connection is required for each branch.
• In step 3, the local network must be released.
  In the example: » ✕172.16.0.0/24
• In step 4, the mapped remote network of the corresponding branch is released.
  In the example: » ✕10.0.1.0/24

Portfilter rules

Two options are available:

•  Head office &  each branch
  

Menu → Firewall →Implicit rules → Group IpsecTraffic} → Rule Acceppt On

In this case rules are created in the background, which allow all services for all computers on both sides. (Default)

• Recommended: Custom port filter rules that only allow services that are needed.
  To do this, the IpsecTraffic Accept option in the → Firewall →Implicit Rules-menu, section IpsecTraffic is to be disabled Off and port filter rules are created manually.
  Example:

Accessibility of hosts of the remote station

A host with the IP address 172.16.3.10 in branch 1 is addressed from the head office with exactly this IP address (172.1.6.3.10).
A host with the IP address 172.16.3.10 in branch 2 is addressed from the head office with the mapped IP address 10.0.1.10.
A host with the IP address 172.16.0.120 in head office is addressed from the branch office with the IP address 172.16.0.120.