1

I've an openVPN client which runs on windows2008 R2 server and through this windows 2008, I'm trying to do static nat to a machine which lies behind this win2008s real network. Here is my configuration for 2008 server;

  • OpenVPN server; 10.9.0.1
  • OpenVPN connection: "Local Area Connection 2" 10.9.0.28/24
  • Local network: "Local Area Connection" 192.168.10.71/24

output of my NAT configuration on 2008 server

    # ----------------------------------
    # NAT configuration
    # ----------------------------------
    pushd routing ip nat
    uninstall
    install
    set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR
    #
    #NAT Configuration For Interface Local Area Connection 2
    #
    add interface name="Local Area Connection 2" mode=FULL
    add addressrange name="Local Area Connection 2" start=10.9.0.24 end=10.9.0.31 mask=255.255.255.248
    add addressmapping name="Local Area Connection 2" public=10.9.0.28 private=192.168.10.59 inboundsessions=enable
    #
    #NAT Configuration For Interface Local Area Connection
    #
    add interface name="Local Area Connection" mode=PRIVATE
    popd

When I try to ping 10.9.0.28 from openvpn server or connect to a tcp port on it, I see destination nat is done on windows 2008 server and my packets are sent to 10.9.0.28 but with source ip 10.9.0.1. 

  19:54:25.046131 IP 10.9.0.1.43109 > 192.168.10.59.2000: Flags [S], seq 870055875, win 5840, options [mss 1350,sackOK,TS val 8948005 ecr 0,nop,wscale 7], length 0
19:54:25.046198 IP 192.168.10.59.2000 > 10.9.0.1.43109: Flags [R.], seq 0, ack 870055876, win 0, length 0
  19:54:28.044561 IP 10.9.0.1.43109 > 192.168.10.59.2000: Flags [S], seq 870055875, win 5840, options [mss 1350,sackOK,TS val 8951005 ecr 0,nop,wscale 7], length 0

and for sure, returning packets does not find their way to originator then.I also tried not to map hosts directly but service/port translation but this didn't work either. In my linux boxes, I can of course change the source IP address while doing nat with iptables but for very same scenario, I couldn't find how to do this on windows.

So, do you have any idea how to change source ip while doing NAT with windows servers?

thanks for the help in advance

goktan

goktan
  • 11
  • 3

1 Answers1

1

You can use netsh to do that:

netsh routing ip nat install
netsh routing ip nat add interface "Local sth or Ethernet etc" AddressOnly
netsh routing ip nat add addressrange "Local sth or Ethernet etc" start=10.9.0.24 end=10.9.0.31 255.255.255.248
netsh routing ip nat add addressmapping "Local sth or Ethernet etc" public=<what_you_want_the_ip_to_look_like> <what_the_ip_actually_is> inboundsessions=disable

The last option is for using (or not as we do here) the same addressmapping in the opposite direction. This might be break eg your internet connectivity if you don't know what you are doing.

Nikolaos Kakouros
  • 163
  • 1
  • 6