DNAT towards IPsec Site

jessicas

Hi all,

I have the following network setup:


I want to achieve that the Proxy (192.168.101.2) can access the Target(192.168.0.2) via a Destination NAT. Currently I have two SAs allowing direct traffic, which I want to prevent.

I've configured everything as shown above, but the traffic seems to not get routed to the destination (tcpdump shows nothing arriving).

the DNAT seems to be working on all networks in Site B, but as soon as the Destination is via bound via IPsec, it does not work for me.

I've also tried to configure the destination NAT directly in the Site-2-Site VPN Configuration under Advanced, but even this did not work for me.

What did I miss?
Thanks for any response,
Jessica
P.S.: It's a USG 110

Zyxel_Stanley

Hi @jessicas  

Since you would like to use a fake source IP(192.168.100.100) to remote site 192.168.0.2.

This requirement VTI interface is required.

Site A and Site B have to setup the VPN tunnel by vit interface.

 And then create policy route rule (on site B ) for your requirement.