Source NAT through vpn tunnels

2»

All Replies

  • valerio_vanni
    valerio_vanni Posts: 117  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Yes, I made a summary of working setup.

    After creation of tunnel A2B2, I could remove policy route on A firewall, LAN C was already included in vpn policy.

    But I still wonder if there are simpler ways.

    I don't understand why AB tunnel refuses traffic not belonging to its local-remote policies. This restriction would be triggered by the parameter "policy enforcement", but that parameter is set to "no".

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @valerio_vanni ,

    I just test on my sites to simulate the case.

    I found the different setting of policy route on site B, for the return traffic from C via B to A, will impact the route result.

    (1) Incoming - interface vti(B-C), src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B.

    It not works. (route traces show outgoing interface is wan)

    (2) Incoming - any, src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B.

    It works. (route traces show outgoing interface is doll)

    No sure why the different of the incoming interface of the policy route impact the route.

  • valerio_vanni
    valerio_vanni Posts: 117  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Where you set "incoming - any", you could set tunnel BC (phase2 bound to VTI), in my setup that is the source that leads to doll instead of WAN1.

    There's something not simmetric: in my working setup, traffic goes out to VTI object, and comes back from tunnel object (trace reports "vpn id").

    Notice that in my setup there's no explicit rule in that direction, it's only return traffic of policy "source: tunnel AB - A LAN - dest tunnel BC - C LAN - SNAT to fakeb.

Security Highlight