How to Reach a Destination Behind an Existing Tunnel Interface VPN from a Banyan User Connected via Cloud Secure Edge (CSE).
Description
In the following example, our goal is to reach the remote host 10.0.1.6 from a Banyan-connected device through the existing Tunnel Interface.
To allow a Banyan-connected user to access resources located behind an existing Tunnel Interface (TI) VPN, you must configure a manual NAT policy to translate traffic originating from the CSE Access Tier IPs. You must also enable the Apply NAT Policies option on the Tunnel Interface route so the translated traffic is correctly forwarded.
LAB Environment Details (at the time this KB was created):
Client OS: Windows (Banyan app version 3.27.2)
Firewall Platform: SonicWall (version 7.3.1-7013)
CSE Connector: TZ Local firewall
Remote Firewall: NSv Sonicwall
Local Subnet: 192.168.255.0 /24
Remote Subnet: 10.0.1.0/0
CSE Access Tier IPs: Created by default during CSE setup
.-kA1VN000000OtOL0A0-0EMVN00000NkvFl.jpg)
Resolution
Local Firewall (CSE Connector)
1.- Create a NAT Policy
Create a manual NAT rule that translates traffic originating from the CSE Access Tier IPs to a known local subnet IP when accessing the remote subnet.
Policy | Rules and Policies | NAT Rules
.-kA1VN000000OtOL0A0-0EMVN00000NkvSf.jpg)
2.- Modify the existing Tunnel Interface VPN
Enable the Apply NAT Policies option on the Tunnel Interface so the NAT rule created above is applied to traffic entering the VPN tunnel.
Network | IPSec VPN | Rules and Settings | Advanced
.-kA1VN000000OtOL0A0-0EMVN00000NkvHO.jpg)
3.- Verify Private CIDRs
Confirm that the remote subnet and desirable subnets that you want to reach such as 10.0.1.0/24 are included in the CSE Connector’s Private CIDR configuration.
Network | Cloud Secure Edge | Access Settings
.-kA1VN000000OtOL0A0-0EMVN00000Nks9q.jpg)
Remote Firewall
No changes are required on the remote firewall in this scenario because the remote subnet (e.g., the remote X0 network) is already known and routable. However, it is recommended to verify that:
- Traffic from the remote firewall IP is arriving correctly.
- The appropriate route or access policy is receiving hits.
Additional TIPs:
- Toggle the VPNs (Disable/Enable) to ensure that the newly added subnets are properly recognized and applied.
- Verify the new Remote subnet is active and visible on the Banyan device.
- Confirm there are no blocking mechanisms on the destination server, such as Windows Firewall, antivirus software, or internal access control rules.
- Enable packet capture on both the local and remote firewalls to trace traffic flow in case any connectivity issues arise. You could capture the traffic base on destination IP.