Skip to main content
neilb
neilb
New Member
March 29, 2019
Question

NAT / Virtual IP on Loopback?

  • March 29, 2019
  • 1 reply
  • 7539 views

Hi all,

 

I'm after a bit of help with regards to NAT, specifically allowing access to an internal server my end from over a VPN. Here's the scenario:

 

I have a client whose network I access via a VPN, and due to clashing address ranges I use source and destination NAT. I can connect to the client network fine and access their internal devices. I'm having trouble though giving them access to specific devices on my network. I'm using a 300E VDOM for this.

 

My network is 192.168.2.0/24, with LAN interface 192.168.2.24. I source NAT overload this to 172.16.0.1.

The client uses 192.168.2.0/24 internally, which I use a destination 1:1 NAT of 10.11.1.0/24 to address. The VPN is configured to allow 172.16.0.0/28 to 192.168.2.0/24. This all works fine, I can RDP to the client devices etc.

 

Now I'm trying to allow the client to access a server on my network. I want to set up a NAT to point 172.16.0.2 to my internal server 192.168.2.73, but I just can't get this to work. I'm thinking that as the firewall doesn't actually have an interface in the 172.16.0.0/28 subnet that this is the issue. To this end I've tried setting up a loopback interface in this subnet but still can't get the NAT to work. I came across this KB article https://kb.fortinet.com/kb/documentLink.do?externalID=FD39824 which sounded good but I can't get it talking right. My NAT would also need to source-NAT the traffic from the client to possibly the 10.11.1.0/24 range so that my server can route back to it.

 

Any ideas? Happy to share config and any other details required. I'm coming from a Cisco ASA background which is being replaced with the Fortigate, so still learning my way around.

 

Thanks

    1 reply

    lobstercreed
    lobstercreed
    New Member
    April 6, 2019

    That KB is a doozy.  [&:]  It doesn't seem like it would work based on my experience but I guess I haven't done exactly that.

     

    All my VIPs live in a subnet that doesn't exist on my firewall either, but as long as the mapped IP's network exists, you should be fine.  The question is does the other end have a route TO your VIP? 

     

    The way you described the VPN sounds a little odd and could be the source of the issue.  I'd be happy to look at the config and try to help.  FortiGates definitely work a lot different than Cisco ASA, so I feel your pain.  Once you "get it" though, the FortiGate is amazing!  

    neilb
    neilbAuthor
    New Member
    April 9, 2019

    Thanks lobstercreed. I'm loving the Fortigate, much better than the ASA I just need to figure out how it handles all the NAT! Going from a one-liner that does both source and destination NAT to the IP Pools, virtual IPs and policies is challenging me certainly.

     

    The VPN is up and working fine and the remote end does have a route in place back to my VIP subnet 172.16.0.0/28. I've ditched the loopback but still no joy - I can post the config if you let me know which bits are pertinent or I can just post the whole lot. I'm still learning the cli.

     

    The other thing I've noticed is that the IPv4 policies and the IPSEC monitor show no bytes hitting the policies or VPNs, but they are definitely passing traffic as I can get a successful RDP session to a server on the remote site.

     

    Thanks

     

     

    Terms & ConditionsAccessibility statement