Hi all,
sk116097 tells us if we need to dnat inside a vpn we must use route based and not domain based, I am wondering if that is really true or if there is a workaround to achieve this?
My setup is identical to the one pictured in the sk, I have added both the pre and post NAT address to the satellite encryption domain, the interesting thing is, my logs say the traffic is encrypted and the destination IP is natted which makes me hopefull, however the traffic doesn't actually make it through the tunnel. The remote end doesn't see it using a packet capture and the local checkpoint gateway only shows little "i" in fwmonitor.
I am doing the same traffic in reverse, in that case hide natting the source IP through the tunnel and that does work fine which I suspect means my setup is correct and it just wont work - But I really hope there is some other solution than a vti.
Flow #1 - doesnt work
pre nat - src: 10.0.0.100 dst: 10.0.0.10
post nat - src: 10.0.0.100 dst: 30.0.0.1(s)
Flow #2 - does work
pre nat - src: 30.0.0.1 dst: 10.0.0.100
post nat - src: 10.0.0.10(H) dst: 10.0.0.10
gateway a encryption domain: local-10.0.0.100/32 remote-30.0.0.1/32,10.0.0.10/32
gateway b encryption domain: local-30.0.0.1/32 remote-10.0.0.100/32
I have tried adding 10.0.0.10/32 to gateway b local domain but it didn't make a difference