Skip to main content
willow
willow
Explorer
December 5, 2024
Solved

InterVlan Routing to a VPN

  • December 5, 2024
  • 1 reply
  • 1203 views

We have a Third Party that would like to allow us access to a subnet on their system via a Site to Site VPN.

 

There is no need for them to access stuff on our network but they want us to use a small subnet to avoid clashes on their end of the network ( 192.168.255.1 / 24 as an example ) we have set this subnet up as a Vlan and have setup and established a IPSEC Tunnel and the tunnel works if your on aforementioned subnet. 

 

Is there anyway to get a Fortigate FG100 to route traffic from another subnet over this tunnel? I can't create a static or policy route to route traffic to the gateway address 192.168.255.1 as it just complains it's a interface address (well yes )) 


Essentially we want it to take traffic from our vlan(s) and act as a NAT gateway sending stuff over the VPN.

 

In the past we have done this by having another router take traffic out of the main router and pipe it back in via a WAN port. This is a little Jank though and I was hoping for something a bit more elegant. 

Best answer by sjoshi

Hi,

 

Yes you can setup by using IPPOOL so in the lan to tunnel policy enable NAT and select IP pool.

So whatever subnet you configure on the IPPOOL that will be the src IP when the traffic reaches the remote end.

Refer:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/195322

1 reply

sjoshi
Staff
sjoshiAnswer
Staff
December 5, 2024

Hi,

 

Yes you can setup by using IPPOOL so in the lan to tunnel policy enable NAT and select IP pool.

So whatever subnet you configure on the IPPOOL that will be the src IP when the traffic reaches the remote end.

Refer:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/195322

Thanks, Salon
    willow
    willowAuthor
    Explorer
    December 5, 2024

    Perfect.

    That did the trick, setup an overload pool with a single address of the Fortigate IP for the VPN subnet and then turned on NAT for the Firewall Rule using that address. 

     

    Seems to have done the trick :)

      sjoshi
      Staff
      sjoshi
      Staff
      December 5, 2024

      Great!!

      Thanks, Salon
      Terms & ConditionsAccessibility statement