I have a VPN between 2 sites connected by a private link point to point. Now I need to find a way how to allow the Internet Traffic from branch Through the main Firewall.
I am using Sonicwall tz 300 in the branch and a NSA 3600 in the HQ.
I will need an static route (default route) from Branch to HQ. But not sure what kind of policies I need in the HQ to make this configuration (NAT and firewall policies)
Best Answer
HQ firewall:
Independent of the firewall vendor, you will need an additional policy to allow traffic from the tunnel end to your WAN port (destination address 'all'). Here, you have to apply source NAT as private addresses like those used on the branch network are not routed over the internet. In a stateful firewall, reply traffic will be automatically allowed to flow from WAN port to the tunnel and eventually to the branch LAN.
branch firewall:
As you have already stated on the branch router/firewall you need an additional default route pointing to the (private) address of the HQ firewall. The associated policy should allow 'all' as destinations, not only the private address range of the HQ, as it might do at the moment.
edit:
On the branch firewall, you need an additional (host) route to the public address of the HQ firewall. Otherwise, this address cannot be reached when the tunnel is down. For example, add "1.2.3.4/32" via WAN port.
If you already have a default route in place (pointing to WAN port) then either delete it or make sure it has a higher distance than the new default route to the tunnel.