Using Policy Based VPN firewall generates packet for NAT over VPN sourced out of X1 instead of X0

03/26/2020 11 12965

DESCRIPTION:
There is a NAT over VPN setup where the source network is being NAT'd when it goes through the VPN tunnel. The problem is that when the SonicWall generates a ping destine to a VPN IP machine, it does not NAT the local IP address to the NAT'd network but instead sends the traffic out the primary WAN X1 interface which causes the ping from the SonicWall to fail.

RESOLUTION:

1. Set up a new Address Group called “local group” which includes X0 IP and the translated network “192.168.3.1”

1. Create VPN policy. The local network is X0 subnet(192.168.168.0/24) and the remote network is 192.168.24.0/24.
   1. Enable the Advance option “Apply NAT policies”, using “local group” created in Step1 as the Translated Local Network, using Original as the Translated Remote Network.

1. Enable the ability to edit NAT policy.
   1. Go to the diag.html(If the management URL is https://192.168.168.168/main.html, the diag page is in https:// 192.168.168.168/diag.html
   2. Enable the checkbox as below

Modify the auto-added NAT policies.
There are two NAT policies auto-added by Step2's VPN policy as below:

For policy 31, we should change the destination Original from local group to “192.168.3.1” as below.
For policy 32, we should change the source translated from local group to “192.168.3.1” as below.

After edit them both, we will see that the priority of the NAT policies is higher than the system NAT policy 33 as below:

We can ping it successfully.