Configure Inbound IPSec Pass-through with SNAT

By default, the XTM device is configured to terminate all inbound IPSec VPN tunnels at the XTM device itself. You can configure the XTM device to pass inbound IPSec VPN traffic through to another VPN endpoint, such as a VPN concentrator on the trusted or optional network.

To do this, you must disable the built-in IPSec policy that sends all inbound traffic to the XTM device. Then you must create specific IPSec policies to handle incoming VPN traffic that terminates at the XTM device or at another device on your network. You can use a static NAT (SNAT) action in the policy to map an external IP address to the private IP address of the VPN endpoint on your network.

Disable the Built-in IPSec Policy

Because the built-in IPSec policy is a hidden policy, you cannot edit it directly. You must disable it in the VPN global settings.

  1. Select VPN > VPN Settings.
  2. Clear the Enable the built-in IPSec Policy check box.

Add IPSec Policies

After you disable the built-in IPSec policy, you must add one or more IPSec packet filter policies to handle incoming IPSec VPN traffic.

For example, if your XTM device has a primary external IP address of, and a secondary external IP address of, you could use an SNAT action in an IPSec policy to map IPSec traffic that comes to the secondary external IP address to the private IP address of the VPN concentrator. You could create another policy to send all other incoming IPSec traffic to the XTM device.

Those two policies could look like this:

Policy: IPSec_to_VPN_concentrator

IPSec connections are: Allowed
From: Any-External
To: --> (added as an SNAT action)

Policy: IPSec_to_XTM_Device

IPSec connections are: Allowed
From: Any-External
To: Firebox

If auto-order mode is enabled, the policies are automatically sorted in the correct precedence order and the IPSec policy that contains the SNAT action is higher in the policy list than the other IPSec policy. This means that all incoming IPSec traffic with a destination that does not match the SNAT rule in the first IPSec policy is handled by the second IPSec policy.

This example uses static NAT to direct incoming traffic to the internal VPN concentrator. You could also use 1-to-1 NAT for this purpose.

See Also

About Global VPN Settings

Configure Static NAT

About 1-to-1 NAT

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base