XG2XG RED and DNAT from central's ip to red internal ip

Question

Hello everyone after a long time! 
 
 I've stumbled upon an issue I'm trying to solve. 
 First things first: 
 There's a Central XG which has a static ip and is a RED server 
 There's a remote XG which has dynamic ip and is a RED client to the Central. 
 I've done all the routing configured and every network can see each other properly. LAN<->LAN firewall rules, static routes set. Everything smooth. 
 So I have an ip camera at the remote XG I want to view, but I want to view it through the central IP because it's static and don't want to mess with ddns at the remote XG and expose it. I tried a DNAT rule that has a source: WAN-> ANY, destination: Port2 (that's the WAN port), protected server: 192.168.50.50 (the ip of the remote ip camera), protected zone: LAN That doesn't work. Any ideas?

emmosophos · Accepted Answer

Hello Panagiotis, 
 Thank you for contacting the Sophos Community. 
 So you have a RED tunnel between two XGs (any reason why you are not using IPsec?) and you want to access the IP camera behind the XG2 (Remote XG with Dynamic IP) via the RED tunnel, correct? 
 I remember seeing a very similar scenario with IPsec and we had to enable masquerading for it to work, can you enable masquerading in the DNAT rule and see if it makes any difference. 
 What do you see if you do a tcpdump on the XG1 and XG2 when you access via the WAN? 
 Can you please do the following from the XG advanced shell 
 #tcpdump -eni any host 192.168.50.50 
 Regards,