IPSEC TUNNEL with NAT
- May 27, 2019
- 2 replies
- 3319 views
Hi all. I need help to figure out if a configuration is possible and where I'm doing wrong.
Please see the attached scenario. I have fotigate_A and fotigate_B connected with an IPSEC tunnel. The tunnels goes UP. I have some networks behind the fotigates and two of them overlap. I don't need at all to let the overlapping networks to see each other (red networks)
I want the overlapping network behind fortigate_A to see other networks behind fortigate_B and I want to do this performing NAT only at fortigate_A. I want a static one-to-one translation.
So I configured an IP POOL 192.168.240.0/26 that translates 192.168.59.192/26 (fixed port range) When I ping from 192.168.59.193 from behind the fortigate_A, the destination 172.16.23.73 receives the echo request from the translated address 192.168.240.1 and replies. If I ping from the 192.168.59.196, the destination host correctly receives the echo request from the translated address 192.168.240.4 So I can say: Translation works IPSEC tunnel works Routing works
but... If I try the opposite, pinging from the 172.16.23.73 address behind the fortigate_B to the translated address 192.160.240.1 of the host behind the fotigate_A... the ping fails. I can see the echo requests go through the tunnel an arrive to the fortigate_A (diag sniffer packet), but I can't see echo replies.
Where could I be wrong?
Any help is appreciated
Regards