How to configure TX54 IPSec VPN for inbound 1:1 NAT mapping?

OK, typical scenario where all remote subnets have the same subnet so I am trying to SNAT inbound/outbound on VPN. It seems the destination NAT setting on tunnel performs the SNAT outbound and I have this working. However, I cannot seem to figure out how to configure the SNAT mapping for inbound traffic.

So the local subnet on Digi side of tunnel is fake subnet of I have setup a interface/zone called FAKE1 for this. The “real” subnet is LAN1, which is One of the remote subnets is With the destination NAT address setup to include my remote subnets, the outbound SNAT is working. I can get from to remote subnets on HUB side. However, I cannot find how to do the inbound NAT on VPN so that traffic coming from going to gets 1:1 NAT to How do I setup inbound NAT mapping on VPN tunnel to achieve this?

I assume your router runs a DAL system.
You need to add custom firewall rules like the ones below:

iptables -t nat -I PREROUTING -i “interface name” -d -j NETMAP --to
iptables -t nat -I POSTROUTING -o “interface name” -s -j NETMAP --to

OK, i tried that.
When I am on the network and I try to ping hoping it would translate to and respond but it fails. I tried override, rebooting, etc. No luck. Do I need the SNAT turned on one of the IPSec or FAKE1 zones?

Surely it should be the VPN interface name if you are using IPSec VPN.

OK, IPSec is the zone set for the VPN tunnel.
I have enabled Source NAT for that zone.
Still not working…

Again, the outbound VPN SNAT seems to work without custom rules.

You missed the VPN interface name in the custom rules. It looks like a formatting issue on the website.
Please take a look at my first reply again. I edited the initial post.
You don`t need to configure SNAT via GUI anymore with these rules.
I recommend you open a support case at

Appreciate the update, i added the VPN in there and still it doesnt work.
Should I delete my FAKE1 interface/zone that is

You need to assign any IP address of the fake network to the loopback interface(firewall zone internal) and add this subnet to the IPSec VPN policy. That is all.

Ok, I got the rules with correct syntax now - verified by putting them in via CLI.
I enter as my loopback address.
Now the VPN NAT seems to be working when pinging, behavior as expected.
However, I can no longer log into my web interface to admin the device after setting loopback.
Also, when i try to pull up web browser on device at at from nothing resolves but I can ping
Also, cant get to web admin through VPN tunnel internal ip either.
Please advise

Good afternoon!

At this point, I would recommend emailing us at to get a case going to resolve the last portion of your question. Then we can track the changes and information more easily.