Unidirectional NAT through IPSEC tunnel.

Question

Hi All,We have configured an interface based VPN to the remote client (Palo Alto FW). Tunnel is up and working fine.Now the customer has asked to implement NAT for all of my subnets currently connected to my Fortigate (including the Dialup vpn users subnet). Like the sources (prod,Training, Dialup vpn users) to be NATed to a single IP (172.16.100.x/32) and then go to IPSec tunnel, on the remote side only single IP is visible to them (i.e 172.16.100.x/32) As the traffic is only unidirectional, so i am following the solution provided on this KB:https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33885&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=129474053&stateId=0%200%20168934167%27) Now, my question is that, i've different subnets like 172.16.10.x/24 ,10.10.10.x/24  and Dialup subnet (10.80.10.x/24)and i want to NAT it to single IP, you can say 172.16.100.x/32 . so that remote side can see only one IP, is this possible? the second question is this, do i need to change my current Route-based vpn in order to implement above requiremnet by selecting the Post-NAT Ip in phase 2 selectors or do i need to create a new Policy-based VPN to implement the scenario mentioned above?

emnoc · Answer

Q1 yes

Q2 yes

Put the POST_NAT address in the phase2 settings. I do this in a FGT-2-SRX

config firewall policy edit 89 set name "fgt2-branchSRX345" set srcintf "internal" set dstintf "FGT2BRANCHSRXSCHOOL_SYS" set srcaddr "192.168.1.0" "192.168.4.0" "192.168.11.0" set dstaddr "LOCAL_SUBNET" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "SRXremoteofcSYS" set nat enable

The address of "SRXremoteofcSYS" is my phase2 local-subnet for IPSEC-PH2 traffic selectors.

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded