Operational Defect Database
BugZero found this defect 3112 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3FcSAI
Traffic is incorrectly routed through a Branch Office Tunnel when dynamic NAT is enabled in the tunnel route
Last update date:
11/11/2015
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
All
Description:
Issue
The Firebox can incorrectly route traffic through a BOVPN tunnel when dynamic NAT is enabled in the tunnel route, and traffic matches a global dynamic NAT rule. The global dynamic NAT rule changes a packet’s source IP address from a private network IP address to the external IP address of the Firebox. If the external IP address matches the NAT IP address in the BOVPN tunnel route, the Firebox sends traffic that matches the global dynamic NAT rule through the tunnel regardless of the original private source IP address of the traffic. By default, dynamic NAT applies to all internet-bound traffic. For example: Your network has these settings: External interface IP address: 203.0.113.2/24 Trusted interface IP address: 10.0.1.1/24 Optional interface IP address: 10.0.2.1/24 Global dynamic NAT is configured with the default settings that translate the source IP address of outbound traffic from all private networks to the IP address of the outgoing interface. You configure a tunnel route that translates the source IP addresses of traffic from the trusted network on 10.0.1.0/24 to the external IP address of the Firebox, 203.0.113.2. A client on your optional network attempts to ping 10.50.1.25.This traffic is handled by the Ping policy, which applies the global dynamic NAT to change the source IP address to 203.0.113.2, the primary external IP address.The Firebox routes this traffic from the optional network through the Branch Office VPN, with the source IP address masqueraded with 203.0.113.2.
Workaround/Solution
To avoid this issue, set the DNAT IP address in the branch office VPN tunnel route to an IP address other than the primary external IP address.
