NAT rule on incomming VPN traffic

Forum|Forum|3 years ago
February 2, 2023
1 reply
2079 views

My dear community,

I'd like to throw in the round a question what puzzles me since some days:

We have a VPN tunnel incomming with 192.168.101.xxx . The system which should be reached has 192.168.9.xxx . The virtual IP mapping I can set defines the incomming external IP as well as the map to IP.

BUT: and here is the tricky thing... The partner needs to use a placeholder-IP. So the partner calls IP 172.29.62.xxx This should be mapped to 192.168.9.xxx but, the rule is not used because the incomming IP is 192.168.101.xxx.

Summary: Incomming 192.168.101.xxx calls 172.26.62.xxx has to be mapped to 192.168.9.xxx.

Can you please help me to understand how to configure such a scenario?

thanks a lot in advance!

FortiGate

AEK

SuperUser

Hello Mardal

I think you want to configure a VIP, with external IP 172.26.62.x, mapped IP 192.168.9.x.

You can find this under Policy & Objects > Virtual IP.

Then FW Policy has to be configured with the VIP as destination address.

AEK

mardalAuthor

New Member

Hi AEK,

thanks for your reply.

In general you are right- but the VIP get only hit if the external IP would be 172.26.62.xxx. But the external IP is a different one.. I just added a small picture. Maybe this explains it a bit better than with words ;)

gfleming

Staff

You can use any IP you want as the External IP in a VIP as long as that IP is routed to the external interface for that VIP.

In other words if packets destined to 172.26.62.x are being properly routed to your FortiGate's interface then the VIP will cause the FortiGate to reply to ARP requests for the IP that is configured as "external IP" in the VIP. The IP does not have to exist on the actual interface.

Hope this helps.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded