Related Topics

Configure Inbound IPSec Pass-through with SNAT

By default, the Firebox is configured to terminate all inbound IPSec VPN tunnels at the Firebox. You can configure the Firebox to pass inbound IPSec VPN traffic through to another VPN endpoint, such as a VPN concentrator on the trusted or optional network.

To configure the Firebox to pass this VPN traffic to another endpoint, you must disable the built-in IPSec policy that sends all inbound traffic to the Firebox. Then you must create specific IPSec policies to handle incoming VPN traffic that terminates at the Firebox or at another device on your network. You can use a static NAT (SNAT) action in the policy to map an external IP address to the private IP address of the VPN endpoint on your network.

Disable the Built-in IPSec Policy

Because the built-in IPSec policy is a hidden policy, you cannot edit it directly. You must disable it in the VPN global settings.

To disable the built-in IPSec policy, from Fireware Web UI or Policy Manager:

  1. Select VPN > VPN Settings.
  2. Clear the Enable the built-in IPSec Policy check box.

Add IPSec Policies

After you disable the built-in IPSec policy, you must add one or more IPSec packet filter policies to handle incoming IPSec VPN traffic.

For example, if your Firebox has a primary external IP address of, and a secondary external IP address of, you could use an SNAT action in an IPSec policy to map IPSec traffic that comes to the secondary external IP address to the private IP address of the VPN concentrator. You could create another policy to send all other incoming IPSec traffic to the Firebox.

Those two policies could look like this:

Policy: IPSec_to_VPN_concentrator

IPSec connections are: Allowed
From: Any-External
To: --> (added as an SNAT action)

Policy: IPSec_to_XTM_Device

IPSec connections are: Allowed
From: Any-External
To: Firebox

If auto-order mode is enabled, the policies are automatically sorted in the correct precedence order and the IPSec policy that contains the SNAT action is higher in the policy list than the other IPSec policy. This means that all incoming IPSec traffic with a destination that does not match the SNAT rule in the first IPSec policy is handled by the second IPSec policy.

Screen shot of Policy Manager with two IPSec pass through policies
Example of a configuration with two IPSec policies in Policy Manager.

This example uses static NAT to direct incoming traffic to the internal VPN concentrator. You could also use 1-to-1 NAT for this purpose.

See Also

About Global VPN Settings

Configure Static NAT

About 1-to-1 NAT

Give Us Feedback     Get Support     All Product Documentation     Technical Search