Hello, just to make sure we're on the same page...
PC1-------[bgroup0]FW======VPN======== Server (application and DNS)
[Eth3] |
| |
Internet Internet
10.1.1.1 3.3.3.3
PC1: 1.1.1.1
Server 2.2.2.2 (www.test.com)
bgroup0: 1.1.1.254
Eth3: 10.1.1.1
Currently, the setup is that PC1 resolves an IP address to server, www.test.com, via DNS.
Then PC1 sends a TCP SYN packet to server with src-IP 1.1.1.1 and dst-IP 2.2.2.2, and this traffic is sent over the VPN tunnel.
What you want to do is rather than being sent over the VPN tunnel, to send the traffic from PC1 to Server over the internet, out Eth3. Is this correct?
If yes, then the packet with src-ip 1.1.1.1 and dst-ip 2.2.2.2 (from PC1 to Server) will need to be translated to public IPaddresses.
I believe this can be achieved in couple different ways.
1) using src and dst nat
set policy from trust to untrust 1.1.1.1/32 2.2.2.2/32 any nat src dst ip 3.3.3.3 permit
set route 2.2.2.2/32 int ethernet3 ## to associate this IP with untrust zone
Of course the router/firewall at the server location will have to do NAT as well -- as well as making sure the server's reply is coming over the internet as well.
2) MIP with src NAT.
set int bgroup0 mip 2.2.2.2 host 3.3.3.3
set policy from trust to untrust 1.1.1.1/32 mip(2.2.2.2) any nat src permit
set route 2.2.2.2/32 int ethernet3
Goal for both options above is to translate packet from private IP 1.1.1.1->2.2.2.2 to Public IP 10.1.1.1->3.3.3.3
I don't have access to firewall at this moment to test this, but I don't see why it shouldn't work.
Regards,
Sam