SNAT and BOVPN query


Firebox - M270
Fireware - 12.4.1.B595401

I have a site to site VPN setup, which is working fine, one ip subnet at each end.

I also had a policy configured to come in on a specific port and be forwarded to a local IP address/computer via SNAT. This is working fine also.

The computer in question is being moved to the other site. I don't want to move the policy to the other firewall (as I don't control it), but when changing the local ip address of the SNAT to an IP address on the other subnet (on the other end of the VPN) it doesn't work. I was hoping the policy would forward it up the BOVPN, but I'm guessing it'll have something to do with the source IP address of the packets coming in, but I can't think of how to cover this.

Any ideas?


  • Options
    edited April 2021

    The issue is the reply packets are currently not coming back via the BOVPN.

    To have incoming packets go over a BOVPN to the remote server, you will need the source IP addr of the incoming packet to get changed to one which will be routed back over the BOVPN from the other end.
    I recommend that you use the trusted interface IP addr as the change to addr

    • assuming that the BOVPN includes the trusted subnet in the From / To Tunnel settings.

    On your incoming policy:
    . on your SNAT entry -> "Set source IP addr" - enter the trusted interface IP addr
    Now the reply packets will come back to your firewall and then go back the the session initiator.

  • Options

    Excellent work, Bruce. All working now!

    Yes of course, the packets would have the source of the external IP of the initial firewall, so the 2nd firewall would send them out to the Internet. Great work again.

  • Options
    edited April 2021

    Actually the packets would have the source IP of the session initiator, not of your firewall external interface IP addr.

Sign In to comment.