Contributor

Question

Need to NAT Traffic leaving a vpn Tunnel

Forum|Forum|15 years ago
May 19, 2011
8 replies
6294 views

I' m from Cisco Land (don' t laugh

) and have a fortigate that I am working with. I want all traffic going across a site to site vpn tunnel to be nat' d outbound to appear to be the inside IP address of the Fortigate. VPN Tunnel is already active, but we have changed some internal IPs and figured it might be easier to do this than deal with the remote site' s IT folks. Any assistance is appreciated.

rwpatterson

New Member

Welcome to the forums (And Forti-land). Obviously, the ' inside' address would have to be Internet routeable for this to work.

A

Anonymous_UserAuthor

Contributor

Why is that? Maybe i didn' t phrase it right, but basically I want the other side of the tunnel to see all the traffic as coming from a single inside ip from my side instead of the various native ips. In Cisco World I can do that with a policy nat saying all traffic from x to y, nat to z address and z address doesn' t have to be a public ip address

rwpatterson

New Member

Well if on the inside you' re using private IP addresses, then in the Internet browsing policy, you will have to check the NAT box anyway. This will NAT all traffic to the interface' s IP address. That IP address can be amended by using an IP pool with the address(es) you wish to appear on the outside. Hope that helps.

ede_pfau

SuperUser

You can easily do this but the way depends on how you set up the VPN. I assume (and hope) you created the phase1 with checking " Interface Mode" . This yields a tunnel interface similar to a physical interface. You only need a route to direct traffic to the tunnel and you' re done. Now for source NAT (changing all source addresses to a different address) you just check " NAT" in the policy " internal" -> " tunnel" . All traffic will appear to come from the internal IP address of the FGT. If you havent' t created the tunnel in interface mode then I' d recommend to re-create it. You can do source NAT with policy-based VPNs as well but it' s really a PITA from the user' s perspective. The paradigm of an interface is so easy in comparison and more so if you use advanced features like NAT, PAT, routing, load-balancing etc. It' s not much effort to create an interface-based VPN, just check that control when creating phase1 - it cannot be reverted later.

ede_pfau

SuperUser

@Bob: OP is talking about VPN tunnel traffic not internet browsing. So NAT is an option but not required. Obviously they' ve been using private addresses all the time across the tunnel.

rwpatterson

New Member

I see.

A

Anonymous_UserAuthor

Contributor

Ede, thanks I did not create the VPN tunnel. It was already setup without that option selected. I can recreate it, but don' t know the PreShared Key. Is there a way to recover that or will I have to contact the remote end and get it from them? -Matthew

rwpatterson

New Member

If you cannot get it from the remote end, there is a way to do it if you have a backup of the config. Let' s know if you need that, and I' ll work out a writeup of how to do it.

A

Anonymous_UserAuthor

Contributor

Bob, That would be helpful. Thanks!

rwpatterson

New Member

OK, for this example, the tunnel is called " Tun.xTESTx" . Make a backup of your config. Snip out the config sections for the firewall policy and the phase 1 & 2 definitions.

  config vpn ipsec phase1      edit " Tun.xTESTx"           set interface " port2"           set nattraversal disable          set dhgrp 2          set proposal 3des-md5          set remote-gw xx.xx.xx.xx          set psksecret ENC blah-blah-blah (This is your encoded key, do not alter)      next  end  config vpn ipsec phase2      edit " Tun.xTESTx"           set keepalive enable          set phase1name " Tun.xTESTx"           set proposal 3des-md5          set src-addr-type ip          set dhgrp 2          set dst-subnet xx.xx.xx.0 255.255.255.0          set keylifeseconds 28800          set src-start-ip xx.xx.xx.xx      next  end  config firewall policy      edit 58          set srcintf " port1"           set dstintf " port2"               set srcaddr " Server"                            set dstaddr " Remote.Sub.xTESTx"                        set action ipsec          set schedule " always"               set service " ANY"                        set logtraffic enable          set inbound enable          set outbound enable          set vpntunnel " Tun.xTESTx"       next  end

Either from the CLI or the GUI, delete the policy(s) that are attached to the tunnel. (#58 here)

  config firewall policy      delete 58  end

Either from the CLI or the GUI, delete the phase2 and phase1 definitions for the tunnel in that order.

  config vpn ipsec phase2      delete " Tun.xTESTx"   end  config vpn ipsec phase1      delete " Tun.xTESTx"   end

Next, go into the snippets of the code (above) and make the following changes (in green:(

  config vpn ipsec phase1-interface      edit " Int.xTESTx"           set interface " port2"           set nattraversal disable          set dhgrp 2          set proposal 3des-md5          set remote-gw xx.xx.xx.xx          set psksecret ENC blah-blah-blah      next  end  config vpn ipsec phase2-interface      edit " Int.xTESTx"           set keepalive enable          set phase1name " Int.xTESTx"           set proposal 3des-md5          set src-addr-type ip          set dhgrp 2          set dst-subnet xx.xx.xx.0 255.255.255.0          set keylifeseconds 28800          set src-start-ip xx.xx.xx.xx      next  end  config firewall policy      edit 58          set srcintf " port1"           set dstintf " Int.xTESTx"               set srcaddr " Server"                            set dstaddr " Remote.Sub.xTESTx"                        set action accept <-No longer " ipsec"           set schedule " always"               set service " ANY"                        set logtraffic enable          set inbound enable <-REMOVE THIS          set outbound enable <-REMOVE THIS          set vpntunnel " Tun.xTESTx"  <-REMOVE THIS      next  end

Go to the CLI widget or open an SSH session and paste in the changed configuration sections. In addition to the above changes, you will need a policy from the outside in as well as a static route(s) to the remote subnet(s). With the code changes in place prior, all this cutting and pasting should take under five minutes. Also a side note: I changed the name from a prefix of " Tun." for policy based to " Int." for interface based. Just something I do. Also if the tunnel doesn' t come up right away, have the far end drop their connection so the tunnel can re-key. Hope that works for you. Good luck

ede_pfau

SuperUser

Changing from policy based VPN to interface-based VPN is quite easy: - get the config (unencrypted) - modify the text file - restore this config (will reboot) If you compare the VPN sections for the two tunnel modes the only difference is that it' s named " conf vpn ipsec phase1,2-interface" instead of just " conf vpn ipsec phase1,2" . So changing that takes only seconds. The new VPN will show up as a network interface (with its phase1 name). So you define ordinary policies ' internal->tunnel' and ' tunnel->internal' to allow traffic to and from the tunnel. And like for routing to any other remote subnet you create a static route for the remote subnet behind the tunnel, specifying the tunnel interface as destination interface (no gateway needed). In the CLI it' s " conf route static" etc. You can do that from the GUI as well even after restoring. And in 1,2,3 you are done. IN YOUR CASE don' t forget to check the NAT option in the policy ' internal->tunnel' ! That' s what this whole thread is about.

A

Anonymous_UserAuthor

Contributor

Thanks to both of you. One more and hopefully finally question. I have 1 phase 1, but multiple phase 2s for this config where exactly do insert the interface command? :

config vpn ipsec phase1      edit " XXXXX"           set type static          set interface " wan1"           set local-gw 0.0.0.0          set dpd enable          set nattraversal enable          set dhgrp 1 5          set proposal des-md5 3des-sha1 aes128-md5          set keylife 86400          set authmethod psk          set peertype any          set xauthtype disable          set mode main          set localid ' '           set localid-type auto          set remote-gw XXXXX          set dpd-retrycount 3          set dpd-retryinterval 5          set psksecret ENC XXXXX        set keepalive 10      next        end  config vpn ipsec phase2      edit " XXXXXX-p2-1"           set auto-negotiate disable          set dst-addr-type subnet          set dst-port 0          set encapsulation tunnel-mode          set keepalive disable          set keylife-type both          set pfs disable          set phase1name " XXXX"           set proposal des-md5 3des-sha1 aes128-sha1          set protocol 0          set replay disable          set selector-match auto          set src-addr-type subnet          set src-port 0          set use-natip enable          set dst-subnet XXXX 255.255.255.0          set keylifekbs 8192          set keylifeseconds 86400          set src-subnet XXXXX 255.255.255.0      next       edit " XXXX-p2-2"           set auto-negotiate disable          set dst-addr-type subnet          set dst-port 0          set encapsulation tunnel-mode          set keepalive disable          set keylife-type both          set pfs disable          set phase1name " XXXXX"           set proposal des-md5 3des-sha1 aes128-sha1          set protocol 0          set replay disable          set selector-match auto          set src-addr-type subnet          set src-port 0          set use-natip enable          set dst-subnet XXX 255.255.255.0          set keylifekbs 8192          set keylifeseconds 86400          set src-subnet XXXXX 255.255.255.0       next      edit " XXXX-p2-3"           set auto-negotiate disable          set dst-addr-type subnet          set dst-port 0          set encapsulation tunnel-mode          set keepalive disable          set keylife-type both          set pfs disable          set phase1name " XXXX"           set proposal des-md5 3des-sha1 aes128-null          set protocol 0          set replay disable          set selector-match auto          set src-addr-type subnet          set src-port 0          set use-natip enable          set dst-subnet XXXX 255.255.255.0          set keylifekbs 8192          set keylifeseconds 86400           set src-subnet XXXX 255.255.255.0      next        end

rwpatterson

New Member

config vpn ipsec phase2-interface      edit " XXXXXX-p2-1"           set auto-negotiate disable          set dst-addr-type subnet          set dst-port 0          set encapsulation tunnel-mode          set keepalive disable          set keylife-type both          set pfs disable          set phase1name " XXXX"           set proposal des-md5 3des-sha1 aes128-sha1          set protocol 0          set replay disable          set selector-match auto          set src-addr-type subnet          set src-port 0          set use-natip enable          set dst-subnet XXXX 255.255.255.0          set keylifekbs 8192          set keylifeseconds 86400          set src-subnet XXXXX 255.255.255.0      next       edit " XXXX-p2-2"           set auto-negotiate disable          set dst-addr-type subnet          set dst-port 0          set encapsulation tunnel-mode          set keepalive disable          set keylife-type both          set pfs disable          set phase1name " XXXXX"           set proposal des-md5 3des-sha1 aes128-sha1          set protocol 0          set replay disable          set selector-match auto          set src-addr-type subnet          set src-port 0          set use-natip enable          set dst-subnet XXX 255.255.255.0          set keylifekbs 8192          set keylifeseconds 86400          set src-subnet XXXXX 255.255.255.0       next      edit " XXXX-p2-3"           set auto-negotiate disable          set dst-addr-type subnet          set dst-port 0          set encapsulation tunnel-mode          set keepalive disable          set keylife-type both          set pfs disable          set phase1name " XXXX"           set proposal des-md5 3des-sha1 aes128-null          set protocol 0          set replay disable          set selector-match auto          set src-addr-type subnet          set src-port 0          set use-natip enable          set dst-subnet XXXX 255.255.255.0          set keylifekbs 8192          set keylifeseconds 86400           set src-subnet XXXX 255.255.255.0      next        end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded