I have an SSG5 which connects direct to the Internet using PPoE. So it has a static Public IP on the untrusted interface.
A VPN tunnel from the LAN connects to a data center in Japan. This has been working successfully for many years.
Now I need to put it behind a router. This will result in the untrusted zone IP being a NAT address in the range of 192.168.1.0/24
As soon as I do this, I cannot connect to the servers in Japan. The VPN tunnel, however, is up: just no data is returned. I do know that the Japanese filter based upon my public IP address as a security precaution.
Acting on a hunch, I added in another router, so my network looked like this:
INTERNET-----59.167.x.x-ROUTER 1-192.168.1.1-----192.168.1.2-ROUTER 2-59.167.x.1-----59.167.x.x-SSG5-192.168.10.1-----LAN
I hope this makes sense: the Router 2 made a NAT internal network with a subnet containing my real public IP address, and assigned that to the untrusted interface on my SSG5. This actually worked, and I could connect to the servers once again.
Obviously triple NAT is not desirable, and is a major hack! So how do I remove ROUTER 2, and tell the SSG5 to replace the 192.168.1.x address with my public address 59.167.x.x for the vpn tunnel?
Any advice would be much appreciated!