NAT loopback not working behind BOVPN tunnel?
Hi
I have a reachability issue with a server published via SNAT.
Let me describe the scenario.
The server is located at site A, while it is published through a public IP at site B.
Site A and site B are connected through a BOVPN, and within the tunnel there is an "any IP" <--> server private IP route.
The policy publishing the server is from "any" to the SNAT dedicated to the server.
The server is reachable from any external resource and from the internal network of site B, but it is not reachable from the internal network of site A, which is the same site where the server is located.
So it appears that NAT loopback is not working from site A.
Any ideas?
0
Sign In to comment.
Comments
What does logging show for the NAT loopback attempt at each end?
When I try to reach the server using site B public ip from site A internal network, I get this allowef traffic in the logs of site B:
2026-04-23 17:14:03 Allow 217.73.xxx.xxx 93.146.xxx.xxx http/tcp 43155 80 Fibra Fibra Allowed 52 54 (HTTP-Test-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.251.xx" tcp_info="offset 8 S 849519535 win 4210" geo_src="ITA" geo_dst="ITA"
Where:
217.73.xxx.xxx is the wan ip of site A
93.146.xxx.xxx is the wan ip of site B used to publish server in site A
192.168.251.xx is the lan IP of server in site A behind SNAT
I do not see any relevant traffic in site A except for the one allowed in the outgoing rule.
"2026-04-23 17:14:03 Allow 217.73.xxx.xxx 93.146.xxx.xxx"
In my Traffic Monitor, the 1st IP addr is the source & the 2nd is the dest.
These seem to be reversed in your logs ???
One doesn't see reply packet in the logs. To see them you need to do a packet capture.
"I do not see any relevant traffic in site A except for the one allowed in the outgoing rule."
Does this mean that you are seeing traffic to the site B public IP addr in the Site A logs?
If so, it would indicate that Site A doesn't route to site B public IP addr via the BOVPN.
Missing a BOVPN Route entry ?