Hi All,
Currently I am doing a testing that includes 3 CP FW. CPs FW at both end will setup a site to site vpn tunnel. A SMB will be sitting infront of the R75.40 acting as a NAT device for R75.40. You can have a look at below for the setup reference.
Host(172.17.17.100)--------(172.17.17.1)R80.40(192.168.237.188) <=======Internet==========>(192.168.237.230) SMB(165.10.10.2) <=====>(165.10.10.1) R75.40(10.10.10.1)---------(10.10.10.10)Host
The ip mentioned above will be the external and internal ip of the interface of the devices.
Now after setting up the site to site vpn tunnel, I can see that the phase 1 and phase 2 on the both ends are up and working fine. When I tried to ping from left side to right side or vice versa, its not working, unpingable.
When i do a ping from right to left side and do a tcpdump on the internal interface of the SMB, i able to see that the ESP packets from 165.10.10.1 to 192.168.237.188 is sending into the internal interface of the SMB[165.10.10.2].
But when i tcpdump the external interface of the SMB[192.168.237.230], i able to see the ESP traffic from 192.168.237.230 to 192.168.237.188 and 192.168.237.188 to 192.168.237.230 traffic coming back and forth at the external interface of the SMB. Means that the traffic did went out and go to the right side and reply back to the SMB.
But when i tcpdump the internal interface of the SMB, there are no reply packets from 192.168.237.188, means that the packets only until the external interface of the SMB.
I did check on the logs of the SMB, it shows this logs.
Got anyone has any idea what this rule 0 is? and why is it blocking this connection? Because this SMB should be just act as a NAT device and pass the connections packets back to the right side.
I did disable all the feature of the SMB and added a static NAT rule that original source from 192.168.237.188 to 192.168.237.230 will translated to 165.10.10.1 as the translated destination.
Thank you