SNAT and BOVPN query
Hi,
Firebox - M270
Fireware - 12.4.1.B595401
I have a site to site VPN setup, which is working fine, one ip subnet at each end.
I also had a policy configured to come in on a specific port and be forwarded to a local IP address/computer via SNAT. This is working fine also.
The computer in question is being moved to the other site. I don't want to move the policy to the other firewall (as I don't control it), but when changing the local ip address of the SNAT to an IP address on the other subnet (on the other end of the VPN) it doesn't work. I was hoping the policy would forward it up the BOVPN, but I'm guessing it'll have something to do with the source IP address of the packets coming in, but I can't think of how to cover this.
Any ideas?
0
Sign In to comment.
Comments
The issue is the reply packets are currently not coming back via the BOVPN.
To have incoming packets go over a BOVPN to the remote server, you will need the source IP addr of the incoming packet to get changed to one which will be routed back over the BOVPN from the other end.
I recommend that you use the trusted interface IP addr as the change to addr
On your incoming policy:
. on your SNAT entry -> "Set source IP addr" - enter the trusted interface IP addr
Now the reply packets will come back to your firewall and then go back the the session initiator.
Excellent work, Bruce. All working now!
Yes of course, the packets would have the source of the external IP of the initial firewall, so the 2nd firewall would send them out to the Internet. Great work again.
Actually the packets would have the source IP of the session initiator, not of your firewall external interface IP addr.