No Ping after DNAT

Hi, 

"Set a permanent route through the IPSEC" - have you done that in the CLI?

Regards

fusi

No, i've done that on the icinga machine ( SMP Debian 5.10.106-1 )

Try to tell your XG to route all trafic to your VPN Network through your IPsec Tunnel:
system ipsec_route add net <remote subnet> tunnelname <ipsec_tunnel>

docs.sophos.com/.../index.html

I don't really get, why i should do that? I don't want to route everything through the IPSEC

I thought you would ping a remote client behind an IPsec connection?

You don't route everything to the tunnel. Only <remote subnet>.

Yes, right. That does work from every other machine in my network, only this one doesn't, as soon as I make a DNAT to this particular machine.

Your screenshot shows you using DNAT for ICMP, and it shows Inbound Interface Port 2. Do you mean #Port2.1? Is it working, as shown,  for HTTP and HTTPS but just not for ICMP? And is #Port2.1 in the LAN Zone?

The system route for IPsec simply tells the firewall itself, there is a route for the traffic. This can be needed in case of NAT:

But you NAT has a traffic selector based on Interface. I would recommend to try ANY there instead of Port2. 

Check the Packet Capture as well. 

The system route for IPsec simply tells the firewall itself, there is a route for the traffic. This can be needed in case of NAT:

But you NAT has a traffic selector based on Interface. I would recommend to try ANY there instead of Port2. 

Check the Packet Capture as well. 

I tired "ANY" as selector, but it made no difference. Also i have Added the permanent route via CLI. Still no change...

What do you see in the Packet capture on Webadmin? 

I found the problem!

I used the NAT assistant, which automatically created a reflexive NAT-Rule. This roule NATed all traffic from this server through Port 2:1. I deactivated it, HTTP / S still works!
Thanks for you help! I'm really stunned, how fast and how many people replied

Have a nice weekend