Source and Destination NAT over VPN

Question

I have a Fortigate 30E that I am trying to get SNAT and DNAT working over a VPN tunnel to a Cisco 4331.

The LAN is a Registered public network that belongs to the company I work for, I will use 1.1.1.0/24 for this scenario.

I have created a site-to-site VPN tunnel with my local address as 10.209.253.0/255.255.255.0 and my remote address as 0.0.0.0/0.0.0.0.

I have created a Dynamic IP Pool Fixed Port Range with my External IP Range as 10.209.253.1 - 10.209.253.254 and an Internal IP Range as 1.1.1.1 - 1.1.1.254.

I created the IPV4 policy using the LAN as the incoming interface and the VPN as the outgoing interface and NAT to the Dynamic IP Pool of 10.209.253.1-254/24.

The VPN comes up and I am able to ping a loopback address on the Cisco 4331, 10.250.110.98 from a PC on the LAN of the 30E, 1.1.1.111.

I have verified that source address 1.1.1.111 is being translated to source-nat address 10.209.253.111 and thatthe destination address is 10.250.110.98.

The issue I am running into is the pinging from the Cisco 4331, 10.250.110.98 to the 30E 1.1.1.254, which is the LAN address of the 30E. After researching the Fortinet website, Google and Youtube, I found an article that I thought sounded like it would work.

I created a Virtual IP static NAT using the VPN interface with an External IP Address Range 10.209.253.1 - 10.209.253.254 and the Mapped IP Address Range of 1.1.1.1 - 1.1.1.254 and created a policy using the VPN as the incoming interface and the LAN as the outgoing interface and allowing all services and NAT is disabled.

Still cannot ping from 4331 to 30E.

Any help would be greatly appreciated!

lobstercreed · Answer

If I followed all that correctly, I have four concerns:[ol]You said "The issue I am running into is the pinging from the Cisco 4331, 10.250.110.98 to the 30E 1.1.1.254, which is the LAN address of the 30E", but you already explained that you're having to NAT everything 1.1.1.x to 10.209.253.x, presumably because the 1.1.1.x addresses overlap with something on the 4331's network.  So I guess the question is have you tried pinging 10.209.253.254 to get a response?You also mentioned pinging the LAN interface on the firewall.  It's possible that you can ping other hosts on the LAN (again using their NAT'd IPs) while still not being able to ping the firewall if you don't have PING enabled in the Interface configuration, so double-check those things.Is the far end (4331) configured correctly to route 10.209.253.0/24 to you across the VPN tunnel?  Now that I think again, it must be based on the fact that you can ping from a host on your LAN.Lastly, and this may be of greatest importance, but I don't think you want the remote address on the FortiGate VPN to be 0.0.0.0/0  I'll be the first to admit I'm not very experienced with these configs, but I'm like 99% sure you need that to be the 10.250.110.98/24 network, and perhaps any others that exist on the remote LAN.  It may not affect the scenario you're describing but if I'm picturing this right you're going to send ALL Internet traffic down this tunnel the way you have it set up.  That sounds problematic to me, but perhaps that's normal.[/ol]

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded