How to SNAT SSL VPN to LAN IP

Question

I am deploying an XG fireall to replace our existing UTM firewall which is being moved to another location. Our corporate IT LAN network is behind the XG firewall with about 20 client networks which connect via IPSEC site to site VPNs. From the corporate IT LAN we can access all client networks on the other side of the IPSEC tunnels. 
 We also utilize an SSL VPN to remote into the IT network when we need to provide support to the remote clients. 
 The problem I am having is when I am connected via the SSL VPN, I cannot route to the client networks. Now I know the problem. The IPSEC configurations do not include the SSL VPN subnets and therefore are not routable. I could fix this by going through and reconfiguring each IPSEC tunnel to include the SSL VPN subnet, but that seems like a lot of work when Source NAT could easily solve my problem. In fact, we have been running source NAT on the UTM configuration for years and it has worked great. I just can't figure out how to do this on the XG. 
 Essentially, I need an SSL VPN client to be masked (SNAT) as an IP on the LAN IT network since all remote client networks already know how to route back to the LAN IT network. 
 Does anyone have any input on how this might be accomplished?

LAN IT (10.255.255.0/24) 
 SSL VPN (10.242.2.0/24) 
 Sample Remote Client Network (10.2.48.0/24) 
 
 Hope this makes sense.

NileshSisodia · Accepted Answer

Remote access vpn networks/users cant access to ipsec remote site network but can access head office network. Remote access ip is 10.81.234.6 and try to reach to remote site machine 192.168.3.20/24. It needs to be achieved using SNAT method which UTM9 uses. 
 Not working Packet Capture taken on Head office Firewall 
 Below is IPSec site to site setup, 
 
 Even if ipsec site to site is successfully setup but it doesn&rsquo;t add route for remote site in default routing table but it uses custom method to tag and route ipsec site to site Local and Remote networks traffic. SFVUNL_SO01_SFOS 16.05.7 MR-7# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 Port5 10.81.234.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 10.176.200.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2 10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 Port1 
 Action 
 -------- 
 -Create a NAT profile for ip address 192.168.4.2. -Create a rule name can be any and set source zone as VPN and destination zone as VPN. In NAT & Routing section , Select Rewrite Source address (Masquerading) -->Use 192.168.4.2 as Outbound Address. Please make sure that 192.168.4.2 is excluded from DHCP assignment. -Setup Remote access vpn and add remote site network (192.168.3.0/24) so it will be push into remote users' computer and add into route section when connected using SSL vpn. -Go to command line of Head office firewall and add route for ipsec. It is needed because when traffic comes from SSL vpn via tun0 interface for destination network 192.168.3.0/24 and if it doesn't have specific route then it try to send using default route that is WAN interface so it wont work. In XG when ipsec site to site is setup it uses different way adding local and remote site traffic. Where SSL VPN looks into default routing table to match destination network. console> system ipsec_route add net 192.168.3.0/255.255.255.0 tunnelname Case_7666490 (this is name your ipsec tunnel) SFVUNL_SO01_SFOS 16.05.7 MR-7# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 Port5 10.81.234.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 10.176.200.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2 10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 Port1 
 Head office firewall VPN to VPN Firewall rule --------------------------------------------------- 
 Working packet capture of SSL VPN using SNAT to reach Remote site (192.168.3.0/24) Head office --------------- 
 -Firewall rule is 5 above provided 
 
 Remote site ---------------- 
 Remote Site Firewall rules id 3 (VPN - LAN)