Screen OS

We've got 2 SSG5 devices, connecting site A and B together via site to site VPN. The VPN is working fine, machines can talk to each other.

Site A = 192.168.10.0/24
Site B = 192.168.100.0/24

The actual problem is that any traffic from Site B appears to come out via the Tunnel interface and not the actual IP of the machine sending the data.

We should also mention, that the Interface that the tunnel is bound to is doing NAT, because we also do let external clients access machines on Site B using MIP's.

Example:

If Host B at Site B has an IP of 192.168.100.5 and is speaking to Host A at Site A, the source addresses of the traffic coming from Site B are translating to the IP address of the tunnel interface (which is 192.168.100.1).

This does not occur the other way around, only when Site B talks to Site A

Any suggestions? or Extra neede details?

I believe your suspicion is correct that the traffic is hitting the interface nat because the tunnel interface is unnumbered and associated with that interface.  I think you have two options.

1-Remove the interface nat and then add a source nat to the policy that permits the traffic that requires the nat.  This is located on the advanced tab of the policy and can also use the interface as the nat source.  But it will only apply to traffic that meets the policy criteria.

2-Convert the tunnel interface to a numbered one with their own ip address and removed from the interface that has the nat applied so it no longer inherits that behavior.

That did it.

We created a new policy from any to -> the other end of the tunnel and turned off nat-src for that. Then put the any to any WITH nat src "below" that in order of precidence.

Works like a charm now.

Many thanks!