topic Traffic from FW takes External IP in General Topics

Traffic from FW takes External IP

sajin — Mon, 19 Aug 2019 13:02:14 GMT

HI,

We need to configure all firewall in the remote location with Centralized NTP. NTP is in HO and we are connecting remote sites only through VPN. Remote Firewalls are not able to connect to NTP and not able to ping.

In the tracker we identified the Remote Firewall takes its External Public IP as the source and is dropped in the HO FW, as encryption domain IP is only allowed.

The firewall is configured with HO DNS and nslookup from the Remote FWs is resolving with the HO DNS .

All other communication other than nslookup is taking the Public IP to reach HO DNS.

Re: Traffic from FW takes External IP

Maarten_Sjouw — Mon, 19 Aug 2019 14:10:38 GMT

Try to change the VPN community and set the option: Disable NAT inside the VPN community.
You can also try to setup a NAT rule to make sure that you use the internal interface IP when you access NTP server, or any of the other services that do not work properly.
It can also be part of the implied rules, which among other things LDAP is one of.

Re: Traffic from FW takes External IP

sajin — Mon, 19 Aug 2019 17:11:25 GMT

NO NAT rule is present between Encryption Domains. Is it mandatory to Disable NAT in the community?.

Re: Traffic from FW takes External IP

Wolfgang — Mon, 19 Aug 2019 17:41:19 GMT

sajin,

maybe you have configured automatic NAT on the firewall object or on the network object ?

Disabling NAT in the VPN community is not mandatory, but if enabled no NAT is done for the connection going through the VPN tunnel, whatever is configured in the NAT rulebase.

Wolfgang.