Configure Inbound IPSec Pass-through with SNAT
By default, the Firebox is configured to terminate all inbound IPSec VPN tunnels at the Firebox. You can configure the Firebox to pass inbound IPSec VPN traffic through to another VPN endpoint, such as a VPN concentrator on the trusted or optional network.
To configure the Firebox to pass this VPN traffic to another endpoint, you must disable the built-in IPSec policy that sends all inbound traffic to the Firebox. Then you must create specific IPSec policies to handle incoming VPN traffic that terminates at the Firebox or at another device on your network. You can use a static NAT (SNAT) action in the policy to map an external IP address to the private IP address of the VPN endpoint on your network.
Disable the Built-in IPSec Policy
Because the built-in IPSec policy is a hidden policy, you cannot edit it directly. You must disable it in the VPN global settings.
- Select VPN > Global Settings.
- Clear the Enable the built-in IPSec Policy check box.
To disable the built-in IPSec policy, from Policy Manager:
- Select VPN > VPN Settings.
- Clear the Enable the built-in IPSec Policy check box.
Add IPSec Policies
After you disable the built-in IPSec policy, you must add one or more IPSec packet filter policies to handle incoming IPSec VPN traffic.
For example, if your Firebox has a primary external IP address of 203.0.113.2, and a secondary external IP address of 203.0.113.10, you could use an SNAT action in an IPSec policy to map IPSec traffic that comes to the secondary external IP address to the private IP address of the VPN concentrator. You could create another policy to send all other incoming IPSec traffic to the Firebox.
Those two policies could look like this:
Policy: IPSec_to_VPN_concentrator
IPSec connections are: Allowed
From: Any-External
To: 203.0.113.10 --> 10.0.2.10 (added as an SNAT action)
Policy: IPSec_to_Firebox
IPSec connections are: Allowed
From: Any-External
To: Firebox
If auto-order mode is enabled, the policies are automatically sorted in the correct precedence order and the IPSec policy that contains the SNAT action is higher in the policy list than the other IPSec policy. This means that all incoming IPSec traffic with a destination that does not match the SNAT rule in the first IPSec policy is handled by the second IPSec policy.
Example of a configuration with two IPSec policies in Policy Manager.
This example uses static NAT to direct incoming traffic to the internal VPN concentrator. You could also use 1-to-1 NAT for this purpose.