Hi,
wrote: Hello spuluka,
Route and policies were set for the 3 sites. But the ping are still timeout.
The interesting thing is all 3 sites firewall logs shows the pings are allow with correct zone/subnet/workstation's IP and use the correct policy. For example, I ping from siteA to siteB. SiteB logs show there are ping from siteA and is allow.
But the workstation in siteA (e.g. Windows cmd) show timeout. I suspect the ping response back from siteB to siteA require hairpin NAT.
All 3 firewall are using route based VPN. Proxy-ID not set as it is not necessary for the current setup.
If you are saying you see the pings in the firewall logs but the workstation shows timeout, then it sounds like route on either Branches does not include the remote side subnets. That is, Branch B cannot respond back to the traffic coming in from Branch A subnet and vice versa.
You need to add routes on the either side for the remote Branch subnet. But since this is not practical, to add route on every workstation on either sites, you need to NAT the source IP on the HA(SSG140) policy, such that the traffic going out to Branch B will be source NATed to HA subnet. Similar needs to be done for policy from Branch B to Branch A on the HA(SSG140) if you are going to initiate traffic from Branch B to Branch A. You can choose egress interface based NAT in the policy or create a DIP on the egress interface and use that in the policy.
Thanks,
Pranita