Skip to main content
IT-Dominikus
IT-Dominikus
New Member
December 29, 2021
Question

I wish to get help to setup a VPN with specific NAT requirements

  • December 29, 2021
  • 4 replies
  • 4031 views

Fortigate 600E

 

Current: VPN Tunnel Phase1 is UP - Phase2 DOWN.

 

The catch here is that we need to NAT "something" I don't know how and what to NAT, because on the remote site the 10.220.0.0/16 subnet is already occupied. They suggested another subnet with 10.222.0.0/16. How can I do that?

 

The connection should be something like that:

 

Our LAN 10.220.0.0/16 -> Tunnel Interface -> Remote LAN 10.222.0.0/16 -> Remote Server

 

I don't know how I can configure this. Also I don't know what to use. Is it ippools or vip or something other?

I can not figure this out. Any advice?

 

Thanks for reading.

4 replies

mariopugliese
mariopugliese
Visitor III
December 29, 2021

Do you mean you have an address overlap, both sides use the same network addressing and you cannot change your local addressing on your side, so you want to NAT your sources ?

This article could be interesting : https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/195322

 

IT-Dominikus
IT-DominikusAuthor
New Member
December 29, 2021

Thanks... reading and trying now. I will write back.

IT-Dominikus
IT-DominikusAuthor
New Member
December 29, 2021

Sorry, this is too hardcore for me.   :(

mariopugliese
mariopugliese
Visitor III
December 29, 2021

FortiGate uses four types of IPv4 IP pools:

  • Overload
  • One-to-one
  • Fixed port range
  • Port block allocation

The type of IP pool depends of the need.

Do you have incoming flows from the remote side to your side or do you only need to reach some remote ressources like webservers, citrix, etc, through the VPN ?

 

IT-Dominikus
IT-DominikusAuthor
New Member
December 29, 2021

I just need to reach a remote web server. I now configured it using an ippool with overload. External IP Range 10.222.0.1-10.222.0.50 (just guessed / typed in whatever range because they said we can use whole subnet of 10.222.0.0/16)

 

The remote web server uses another subnet like (example): 7.49.31.128/25

 

Can you make any sense of that or need I describe better?

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
December 29, 2021

Hey Dominikus,

correct me if I'm wrong - you have a local subnet of 10.220.0.0/16, and on the remote side the same subnet is also in use, right?
So, if you send traffic into the tunnel with a 10.220.x.x source IP, this will cause problems, because the remote side will confuse the traffic with its own subnet?
You will need to hide your 10.220.0.0/16 subnet behind NAT, such as the pool you've already implemented. So, now all traffic from your side will go into the tunnel with a 10.222.0.x source IP address (the pool could go 10.222.0.1-10.222.255.254, if you want to use it fully :).

Now you need to ensure the following is in place:
- the IPSec tunnel has phase2 selectors with 10.222.0.0/16 as local subnet, and the remote server as remote subnet
- your FortiGate has a route to the webserver through the IPSec tunnel
- the remote side has mirrored selectors (10.222.0.0/16 as remote, their web server subnet as local)
- the remote side has a route for 10.222.0.0/16 via IPSec tunnel
With that in place, the web server should become reachable.
Hope this helps :)

IT-Dominikus
IT-DominikusAuthor
New Member
December 29, 2021

Thank you! That worked.

 

- Phase 2 local subnet set to 10.222.0.0/16 (before it was set to 10.220.0.0/16)

- ippool is overload with 10.222.0.1-10.222.255.254

- outgoing policy is with NAT enabled using the specified ippool

 

Thank you very much ! What a great answer.

Terms & ConditionsAccessibility statement