Hi,
Have opened a ticket with support, but will post here on the off chance somebody can solve this here first.

Had a S2S vpn configured on a 2862 and was natting all traffic to a single IP (1.2.3.4 in this case sanitized) set under My WAN IP

This setting is missing on the 2962

How do i configure the 2962 to do the same as my settings in the 2862?

If i choose NAT mode on the 2962 then the tunnel doesnt come up at all, regardless of what i put in Local and Remote Networks.
If i choose routing mode and then tick Translate whole subnet and choose the LAN and pop in the details then the tunnel comes up but it doesnt NAT from a specific IP as it just keeps defaulting the Local Network to 1.2.3.0/32 rather than 1.2.3.4/32 and none of the traffic goes over the S2S as they only accept traffic from the natted IP.

Whats the equivialnt settings for the 2963 to match that of the working 2862 config?

Thanks in advance

Hi  ttrade ,

Have you been able to connect and pass any traffic at all across the S2S connection yet (under any of your attempted configs)?

Am I correct in saying all you want to do is have nodes at one site use the internet connection (and therefore the public WAN IP) of the remote site? If so, then you just need to establish the S2S (Lan2Lan)  connection and then setup a 'Routing policy' for that/those nodes to be routed via the VPN connection and out onto the internet. 

Your 'My WAN IP' shouldn't need changing from the default setting, that should just stay as 0.0.0.0.
Your 'Remote Network IP' needs to be the main LAN (or any LAN) of the remote site, for example 192.168.20.0 or 192.168.20.1 (both will work).
Set the 'Mask' to match that remote network size as well.
If you use the NAT option you won't have granular control of the L2L routing at the 2962 end later, but that's fine if all you want to do is use the remote site's public IP for your local nodes.

If I choose routing mode and then tick Translate whole subnet...

You shouldn't need to enable this option, unless your remote site has the same subnet range as your local subnet, you ideally want them to be different.

How do I configure the 2962 to do the same as my settings in the 2862?...

You shouldn't need to, as the 2862 is specifying NAT and the 2962 is passive to that pre-set factor. If you're choosing NAT the connection will appear as 'Dynamic Client' at the 2962 end and a remote L2L profile isn't necessary for that configuration. If you have chosen 'Route' then you will need the remote site's L2L profile to be in-place for the connection to be established; as that is needed for the routing ability at the 2962 end.

Hi HodgesanDY

So we have a few devices on our LAN that need to connect to a 3rd party via the tunnel.

The tunnel comes up fine but it doesnt send traffic via the natted IP so packets are being rejected at the remote end.

The 3rd party have it configured so it will only accept traffic from a natted IP from our end over the tunnel.

So our Lan - 192.168.1.0/24
Remote LAN - lets say is 10.1.2.30
They will only accept traffic from those few devices from a natted ip they have provided of lets say 10.20.30.40

On the 2862 it works fine.

On the 2962 that have replaced the 2862 with and with the same settings it doesnt send the traffic via the natted IP.


Only way i can get it to work is put it in routed mode rather than NAT - set the Local Network as the Nated IP network and then do virtual IP mappings from our LAN IP's to 1 natted IP they have provided.

THe 3rd party remote end is a Virtual VMware firewall i believe thats out of my control, im just creating a dial out Lan to Lan VPN to it

So if a particular 192.168.1.0/24 device, gets this public IP address "10.20.30.40" when visiting say whatismyip.com, everything should work, is that correct to say?

On the 2962 that have replaced the 2862 with... 

You lost me a bit here. Did you have 2862s at both ends before, and you changed one to a 2962?
 

They have provided the external IP for the tunnel endpoint, the remote network and NAT IP they have provided are internal ones.

No at our end we used a 2862. It has been replaced with a 2962 now as needed dual WAN so had to upgrade it.

 

Ok, I think I understand your dilemma now.

So if the below works:

Only way i can get it to work is put it in routed mode rather than NAT - set the Local Network as the Nated IP network and then do virtual IP mappings from our LAN IP's to 1 natted IP they have provided.

Is this then causing you other issues, once the virtual IP mapping is in place?


One other possible suggestion, and I have done this before with some door-entry modules at remote sites (for syncing and firmware updates etc), is to setup a remote dial-in profile on the 2962, which would place the connection on the subnet you want, I'm guessing you have a subnet matching the provided "natted IP's" already setup at your remote site? You could then establish a VPN connection directly from the local node (affectively going around the Lan2Lan route)  straight into the subnet it needs to be on, you could even set a static IP for it to receive when joining that subnet in the Dial-in profile. Granted, this may result in the same problem as setting up a virtual IP map, as above, but worth a mention.

Going back to your original question in your first post, have you looked at 2962's CLI yet?



Have you tried adding the 'My WAN IP', or whatever you need, via this method yet?