Cannot pass traffic to LAN devices through a VPN tunnel

Article:TECH80833  |  Created: 2003-01-23  |  Updated: 2009-01-26  |  Article URL
Article Type
Technical Solution


You configured the VPN connections to a Symantec Firewall/VPN (SFVPN) appliance or Symantec Enterprise Firewall product (Symantec Enterprise Firewall, Symantec VelociRaptor, or Symantec Gateway Security appliance). You confirmed that you can pass traffic (by pinging) to the internal IP address of the Symantec VPN server through the tunnel. However, traffic to other addresses on the remote network does not appear to pass through the tunnel.


This problem may be the result of an internal default gateway configuration on the internal network.

If the devices you are trying to access through the VPN tunnel do not use the internal IP address of the Symantec VPN server as their default gateway (either directly or indirectly), then traffic to those devices fails.

Because computers connecting through a VPN tunnel maintain their original IP address through the tunnel, responses to traffic coming out of the tunnel must be able to return to the SFVPN for routing through the tunnel. If the internal computers use another gateway or firewall address (or an internal router configured as such) as their default gateway, then the traffic returning from those hosts may not exit through the SFVPN causing the connection to fail.

A VPN client with an IP address of connects a tunnel to an SFVPN appliance with a tunnel of As a result, all traffic from the client to the network goes through the VPN connection.

If the VPN client pings a server behind the SFVPN appliance that has an IP address of, the ping has a source address of and a destination of

The computer at receives the packet and responds to If the computer at has a default gateway of the SFVPN's internal interface (, by default), then the packet returns to the SFVPN appliance, it is encrypted, and then routed through the tunnel to the VPN client.
However, if has a different default gateway (either another router or firewall/gateway, such as in the example below), the packet is forwarded to the other gateway's IP address and dropped at the device or routed elsewhere (and does not return through the VPN tunnel).

Symantec Enterprise Firewall products allow you to incorporate network address translation (NAT) for VPN traffic to alleviate this problem. When NAT is used on the VPN tunnel, the traffic entering the internal network appears to original from an address on that network and, therefore, does not go out through the default gateway.

SFVPN appliances are not capable of performing NAT for VPN tunnel connections. All VPN tunnel connections maintain the original address as a source for inbound traffic through the tunnel. Internal computers not configured to route traffic back to the SFVPN through default gateways fail to respond properly to requests through the VPN tunnel.

If NAT is a required situation for your network based on the routing criteria or limitations stated above, you should use a Symantec Enterprise Firewall product (Symantec Enterprise Firewall/VPN, Symantec VelociRaptor, or Symantec Gateway Security appliance) for VPN connections instead.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices