Skip to main content
DanielW131
DanielW131
New Member
March 10, 2025
Question

Need to NAT to a host on a different interface over a Site to Site VPN

  • March 10, 2025
  • 1 reply
  • 417 views

Hi

Hoping somebody can help me as I'm going round in circles. We recently replaced a Cisco Firewall. A support company that looks after one of the servers on subnet 10.70.0.* had a site to site VPN to a management VLAN of 10.7.1.*. From there, they would hit a NAT IP, which would translate to the the server IP in the 10.70.0.* network (both forwards and reverse).

 

The Site to Site VPN to the management VLAN is working fine, but I just cannot get my head around setting up the NAT in the Fortigate. Tried as if it were an external NAT, and that didn't work. Tried adding the server VLAN to the VPN and doing a NAT (even a Zone) and that didn't work. Feel like I'm missing something, but can't find a guide on how to do this. Below is a diagram of what I'm trying to do if it helps?

 

Many thanks in advance. Dan

 

VPN NAT.jpg

 

 

1 reply

AEK
SuperUser
AEK
SuperUser
March 11, 2025

Hi Dan

If I understand well, you should use DNAT (VIP).

External: 10.7.1.x

Mapped to: 10.70.0.x

Then the related policy should have the VIP object as destination.

AEK
Terms & ConditionsAccessibility statement