Address translation in VPN, both direction

  • I have a couple of vpn that access a machine inside the network on a ipaddress that we translate (destination nat, tunnel interface),  so (customer)->(internet)-(>(

    Now i also need to do the oppisite (source nat:ing, but with the same address), so>>(internet)-(customer)

    I did som testing with dip, but from what i understood the dip messed up the policy lookup (different zones) if you understand how i mean?

    So it dropped the incomming packets. How do i avoid that, mip?

  • Like you said, the policy lookup will be messed up, as the firewall would think that the public IP-address is located in the untrust zone. There is no difference between this behaviour whether it’s DIP’ed or MIP’ed.

    Of course if you need to both SNAT and DNAT your traffic, MIP would be the way to go, as it enables you a one-to-one mapping without specifying multiple addresses in the VPN-definitions of either side.

    What we do, if we need to initiate traffic from the inside on a tunnel NAT’ed to a public address is to make a host route (/32) of the public IP-adress (NAT address) pointing towards the interface of the inside host. You shouldn’t specify any gateway.

    This would make the SSG behave correctly policy lookup wisely.

    Hope this helps.