DNAT towards IPsec Site

Options
jessicas
jessicas Posts: 1 image  Freshman Member
edited April 2021 in Security
Hi all,

I have the following network setup:


I want to achieve that the Proxy (192.168.101.2) can access the Target(192.168.0.2) via a Destination NAT. Currently I have two SAs allowing direct traffic, which I want to prevent.

I've configured everything as shown above, but the traffic seems to not get routed to the destination (tcpdump shows nothing arriving).

the DNAT seems to be working on all networks in Site B, but as soon as the Destination is via bound via IPsec, it does not work for me.

I've also tried to configure the destination NAT directly in the Site-2-Site VPN Configuration under Advanced, but even this did not work for me.

What did I miss?
Thanks for any response,
Jessica
P.S.: It's a USG 110

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,436 image  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Eighth Anniversary
    edited May 2019

    Hi @jessicas  

    Since you would like to use a fake source IP(192.168.100.100) to remote site 192.168.0.2.

    This requirement VTI interface is required.

    Site A and Site B have to setup the VPN tunnel by vit interface.


     And then create policy route rule (on site B ) for your requirement.


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)