Single Source NAT IP to access remote network over routed VPN

Question

Requirement:Access multiple remote client hosts (not entire remote LAN) over VPN and presenting local clients as single IP of 61.x.x.x. This is to comply with security imposed by remote client's CISCO ASR. See pic below for requirement. Following existing fortinet doco http://cookbook.fortinet.com/vpn-overlapping-subnets/ , I am only able to successfully established a routed VPN between the gateways 219.x.x.x <>185.x.x.x, using the "Site to Site - Cisco" wizard template then converted to custom VPN. Attempts to manually setting up the tunnel without converting from the template actually didn't work, despite matching all configuration!  My local LAN 192.168.0.x clients will need to access a number of specific remote hosts e.g 10.1.x.x and 10.2.x.x. Below are the Policies modified from the fortigate autocreated ones:edit 45         set srcintf "internal"         set dstintf "VPN-Phase1"         set srcaddr "Local LAN"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set natip 66.x.x.x 255.255.255.255     next     edit 46         set srcintf "VPN-Phase1"         set dstintf "internal"         set srcaddr "all"         set dstaddr "Local LAN"         set action accept         set schedule "always"         set service "ALL"         set nat enable         set fixedport enable Static routes to the remote hosts are also being set:next     edit 13         set dst 10.1.x.x 255.255.255.255         set device "VPN-Phase1"     next     edit 14         set dst 10.2.x.x 255.255.255.255         set device "VPN-Phase1" At the moment, the VPN tunnel will come up with no problem, but no traffic will passthrough. Traceroute shows that it didn't go any further than the fortigate's local LAN gateway. I have also read through an almost identical thread https://forum.fortinet.com/tm.aspx?m=104484 but the details were scarce so I am at a lost of what else may be missing.

Toshi_Esumi · Accepted Answer

First of all, do you really need to set up VIPs on both sides like in the cookbook? If the other side is your customer, likely you don't want to let them get in your network. Besides your local subnet doesn't seem to be overlapping with the customer's.

Then those policies don't look right. If you need only one-way access, only thing you need is to enable NAT at your local FG on the outgoing policy (45). Then it automatically use the VPN interface IP that you must have as 61.x.x.x/255.255.255.255 as in your diagram. You might not even need the policy 46 for the opposite direction because one-way. Then it should work from local device toward the customer devices.

You still need to have static routes for customer subnets you need to reach on the FG toward the tunnel if the GUI hasn't created automatically yet. Check via CLI.

Then you need to run ike app debug while you try sending packets toward the customer device to see if phase2 comes up.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded