Have a SG580 with a DNAT setup (via gui) to forward packets from static ext IP/Port to internal IP/Port. Say ext 184.108.40.206:3000 to int 192.168.1.1:3000
Have a SG560 at satellite office and looking in the logs of that I can see my application contact 220.127.116.11 and get a response back but on the 2nd packet on it won't show the destination being 18.104.22.168 but 192.168.1.1 and so it doesn't work.
Why or how is my destination address changing from the correct external IP to the incorrect internal IP and is there a way to fix this. I have many other dnats on the SG580 and never seen anything like this.
Any help would be greatly appreciated.
Shame that these units are discontinued, still working very well many years on.
the packet is not being source natted to 22.214.171.124 when it is being sent out from the SG580 upon its return to the satellite office.
try as a workaround to create a source nat rule that does this translateion( will be the opposite of the DNAT rule )
Ok, I have since setup an ipsec tunnel between both locations to make life easier, but still having similar issue sort of.
I can ping/tracert between both internal networks. But now when an application at the satellite office sends a request to the headoffice, the headoffice router sends the reponse back to the satellite offices WAN IP rather than the internal IP. So similar issue to above but no sending to external rather than internal.
Any ideas as I was hoping with a full site to site VPN all my issues would go away.
I'm not as familiar with SnapGears as I am with the larger McAfee Firewalls though I do have one running at home providing me with an IPSec tunnel back to the McAfee Firewall Enterprise appliance located at my company's offices. As I understand it, the presence of the site-to-site IPSec tunnel should automatically take control of this traffic before it is even seen by any other aspect of the Firewall.
However, I'm anticipating that there may be some residual routing/NAT configuration from your earlier attempts which may be confusing the situation. Have you removed these legacy settings?
On a couple of occasions I have experienced a situation where traffic should be sent over a VPN, but for reasons unknown it is not. Deleting and recreating the IPSec tunnel normally fixes it.
I will happily defer to Ross' expertise on this product, but hope that this proves to be useful to you.
Thanks for the reply, I did turn off my previous rules/filters but agree that could still be something that is adding to the issue. I will give your suggestion a go, backup the config and remove a lot of old configuration and test over the weekend as this is a live/production unit.
I will try deleting and recreating the VPN also, as you suggest.