Define a Route for All Internet-Bound Traffic Through a Branch Office VPN Tunnel

When you enable remote users to access the Internet through a VPN tunnel, the most secure setup is to require that all remote user Internet traffic is routed through the VPN tunnel to the Firebox. From the Firebox, the traffic is then sent back out to the Internet. With this configuration (known as a hub route or default-route VPN), the Firebox is able to examine all traffic and provide increased security, although more processing power and bandwidth on the Firebox is used. When you use default-route VPN, a dynamic NAT policy must include the outgoing traffic from the remote network. This allows remote users to browse the Internet when they send all traffic to the Firebox.

When you define a default route through a BOVPN tunnel, you must do three things:

  • Configure a BOVPN on the remote Firebox (whose traffic you want to send through the tunnel) to send all traffic from its own network address to 0.0.0.0/0.
  • Configure a BOVPN on the central Firebox to allow traffic to pass through it to the remote Firebox.
  • Add a route on the central Firebox from 0.0.0.0/0 to the network address of the remote Firebox.

Before you begin the procedures in this topic, you must have already created a manual branch office VPN between the central and remote Fireboxes. For information on how to create this VPN tunnel, go to About Manual IPSec Branch Office VPNs.

WARNING: If you use a default route to send traffic to the Internet through a hub Firebox, and the hub Firebox uses an HTTP-proxy or HTTPS-proxy to examine the outbound traffic, you must enable TCP MTU probing in the global networking settings on the hub Firebox for web browsing to function correctly for clients connected to the remote Firebox. For more information, go to Define Firebox Global Settings.

Configure the BOVPN Tunnel on the Remote Firebox

Configure the BOVPN Tunnel on the Central Firebox

Add a Dynamic NAT Entry on the Central Firebox

To allow a computer with a private IP address to access the Internet through the Firebox, you must configure the central Firebox to use dynamic NAT. With dynamic NAT, the Firebox replaces the private IP address included in a packet sent from a computer protected by the Firebox with the public IP address of the Firebox itself. By default, dynamic NAT is enabled and active for the three RFC-approved private network addresses:

192.168.0.0/16 - Any-External
172.16.0.0/12 - Any-External
10.0.0.0/8 - Any-External

When you set up a default route through a branch office VPN tunnel to another Firebox, you must add a dynamic NAT entry for the subnet behind the remote Firebox if its IP addresses are not within one of the three private network ranges.

Related Topics

About Dynamic NAT

Make Managed Tunnels Between Devices