Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Route Incoming external traffic over VPN

Jump to solution

Hi, 

 

I am struggling with routing external incoming traffic that is coming from the External Interface via a VPN tunnel?

The traffic flow should be:

External IP --> External GW published IP  --> Static NAT to internal dst IP --> VPN Tunnel --> dst 

 

To explain shortly - incoming traffic from external IP is hitting the GW published IP (via Proxy ARP) and NATed to an internal address which should be routed via the VPN.

I added the External IP address to the VPN domain but still the Traffic is not routed over the VPN but going out back via the external interface 

There is a static NAT to translate the external dst IP address to the Internal dst IP address which should go to the VPN 

External IP --> External GW  IP 

External IP --> Internal dst IP  

however the traffic goes back via the External Interface 

Any SK or a idea how to tackle this issue?

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
Admin
Admin

If it’s from a specific IP in the encryption domain, 
it sounds like a bug.
You might want to engage with the TAC.

View solution in original post

0 Kudos
Reply
3 Replies
Admin
Admin

The decision to encrypt is based on the source IP being in the encryption domain, which I'm guessing is not the case here.
Perhaps with a route-based VPN and a null encryption domain, you could make this work.

0 Kudos
Reply

Hi PB, 

The traffic is coming from external interface and although I added the External Incoming IP to the VPN domain it is still not routed via the tunnel. I guess the VPN topology doesn't include external address for a reason (or a bug in the VPN topology calculation). I tried to find any SK about routing external traffic via internal VPN but couldn't find anything useful

I was trying to avoid route-based VPN but I guess this is the only way so I will have a look at it 

Thanks for your answer 

 

0 Kudos
Reply
Admin
Admin

If it’s from a specific IP in the encryption domain, 
it sounds like a bug.
You might want to engage with the TAC.

View solution in original post

0 Kudos
Reply