Access Webserver from external through bovpn

Hello,
I have two sites A and B. Both are connected via BOVPN tunnel
Site A has local network 192.168.1.0/24
Site B has local network 192.168.2.0/24

We have fix external public ips on both sites

On Site A all Servers are hosted. But we need to access the Webserver (192.168.1.10) of the public ip of Site B.

How can I solve this to reach the webserver on site A over the public ip of site B

Public ip Site A=197.23.55.21
Public ip Site B=80.77.66.11

On Site B the incoming NAT for 192.168.1.10 does not work.
I think I have to do NAT over the BOVPN Tunnel.
Thanks and kind regards

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited July 2019

    Hi MBlock,

    Thanks for writing.

    You'll need to create a VPN tunnel from the Public IP to the Private IP of the server

    In VPN -> Branch Office Tunnels, for that tunnel, you'll need to create a route that looks like this:
    80.77.66.11 <--> 192..168.1.10

    On the other firewall, it'll need to be flipped.

    (Bruce's method below will also work)

    -James Carson
    WatchGuard Customer Support

  • Or:

    For a normal (non-zero route) BOVPN you need an entry on the incoming HTTP/HTTPS policy with a "Set source IP" entry to make the reply packet from the branch B device go back over the BOVPN, not out the branch B Internet connection.

    On the SNAT used for your incoming HTTP/HTTPS policy select "Set source IP" enter a value - discussed below

    If the BOVPN Tunnel Local setting is the trusted subnet, set the "Set source
    IP" value to the IP addr of the trusted interface.
    (Actually it can be any IP addr from the trusted subnet, but using the
    trusted interface IP addr seems more logical to me)

    Now when the packet goes down the BOVPN, the source IP addr of the packet
    will be something from the main office (the trusted interface IP addr), and
    thus the reply packet will be routed back over the BOVPN to the main office
    firewall, where it will then be Dynamic NATed and routed back to the session
    initiator.

  • You're so great. I'll try it later . Thank's very much

Sign In to comment.