Packet response via Source NAT not working (via SSL-VPN)

Question

Hello everyone! 
 I have the following problem: 
 I don't want to leave my ESXi server in the WAN, so I created a second VM kernel adapter and assigned an internal IP to the ESXi in addition to the public IP address. 
 I now want to connect to my network via VPN and manage my ESXi server via this private address. I've put the firewall with a NIC into this "ESXi management network" and created/configured the interface on the admin interface: 
 
 At the end I created a VPN firewall rule that should allow me to get access from VPN Zone to the LAN/DMZ Zone (and therefore also ESXi-Network, which is in the LAN Zone). Here I have to use Source NAT because the ESXi can only have one gateway and this is assigned to its public address. 
 Unfortunately the XG seems to forward the https request to the ESXi, but I don't get a response because the firewall can't assign the packets: 
 
 Here is the VPN rule:

and also the SNAT IP-Host and Policy:

I hope, you can help me out! 
 Kind regards, Leon

intrusus · Accepted Answer

, 
 maybe this is kind of interesting for you and the Sophos Firewall Team: 
 I have now performed the following steps: 
 
 Upgrade to v18EAP 
 Created some firewall rules and cleaned it up:
 
 The firewall rules are now split up (e.g. LAN to MGMT, VPN to MGMT, etc.) so the naming is standardized, and everything seems more organized. Important: The VPN to MGMT rule is linked to a SNAT rule. This rule does nothing else than the SNAT rule from my first post.

But the error was clearly due to this: If in Configure > VPN > Show VPN Settings > SSL VPN Settings TCP is not selected as protocol, but UDP, the XGv17.5 and XGv18EAP discards any https (tcp443) packets back to the VPN user. Ping is working fine using UDP, but any Protocol based on TCP not. After resetting from UDP to TCP, everything works fine! That way the problem was solved. Cheers, Leon