DNAT towards IPsec Site

jessicas
jessicas Posts: 1
edited April 2021 in Security
Hi all,

I have the following network setup:


I want to achieve that the Proxy (192.168.101.2) can access the Target(192.168.0.2) via a Destination NAT. Currently I have two SAs allowing direct traffic, which I want to prevent.

I've configured everything as shown above, but the traffic seems to not get routed to the destination (tcpdump shows nothing arriving).

the DNAT seems to be working on all networks in Site B, but as soon as the Destination is via bound via IPsec, it does not work for me.

I've also tried to configure the destination NAT directly in the Site-2-Site VPN Configuration under Advanced, but even this did not work for me.

What did I miss?
Thanks for any response,
Jessica
P.S.: It's a USG 110

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2019

    Hi @jessicas  

    Since you would like to use a fake source IP(192.168.100.100) to remote site 192.168.0.2.

    This requirement VTI interface is required.

    Site A and Site B have to setup the VPN tunnel by vit interface.


     And then create policy route rule (on site B ) for your requirement.


Security Highlight