Hello friends,

there is a FGT80E, which was set up from someone who is not accessible anymore.

The WAN-is connected to a DSL-Router as "exposed host". (meaning the WAN interface has a privat IP).

We have a IPSec Connection to a Cisco ASA which uses PAT. (since they dont like our internal Subnet)

The IPSec itself works just fine. In phase 2 they defined the local adress and the remote adress for the PAT

Local: 10.200.200.30

Remote: 10.200.210.80

Now they set up VIP:   (which I am not sure of why they set it up?)

Interface:  <the IPSEc Interface>

External IP: 10.200.200.30-10.200.200.30

Mapped IP: 192.168.100.230  (from our internal LAN)

We have static routes over the IPSec Interface the Remote PAT IP:   10.200.210.80

And we have a policy from LAN to this IPSEc

<source local subnet 192.168.100.0/24>  to  <remote subnet 10.200.210.0/24>  ALWAYS ALL ACCEPT - NAT: dynamic IP pool <external range: 10.200.200.30-10.200.200.30> Internal 192.168.100.1 - 192.168.100.253>  ARP reply enabled.

This seems to work fine from the LAN.

But now I would like our dialup users to connect through this tunnel aswell as the internal users.

But this is just not happening ....

I am already thinking that the initial setup is not correct ... even tho it works.

I am wondering if I can just put the local adress 10.200.200.30  as the Interface adress of local the IpSec interface and just enable the NAT on the policies I am using to allow the traffic.

I hope this was somehow understandable .. ?

Thanks for you help!