Skip to main content
paulvisser
paulvisser
New Member
September 17, 2021
Question

VPN multiple remote subnets SNAT to 1 NAT pool

  • September 17, 2021
  • 2 replies
  • 2325 views

Hello,

 

I have a Fortigate 100E using as firewall/VPN. I encounter the following problem:

Only one remote subnet gets translated (SNAT) on the fortigate, the second one doesn't get translated.

 

SEC (VPN) # diagnose sniffer packet any 'dst host 172.24.1.213' interfaces=[any] filters=[dst host 172.24.1.213] 16.538757 172.16.1.43.62586 -> 172.24.1.213.22: syn 3019323432 16.538863 10.150.10.103.62586 -> 172.24.1.213.22: syn 3019323432 16.538869 10.150.10.103.62586 -> 172.24.1.213.22: syn 3019323432 16.538875 10.150.10.103.62586 -> 172.24.1.213.22: syn 3019323432 16.556685 172.16.1.43.62586 -> 172.24.1.213.22: ack 533124325 16.556731 10.150.10.103.62586 -> 172.24.1.213.22: ack 533124325 16.556736 10.150.10.103.62586 -> 172.24.1.213.22: ack 533124325 16.556741 10.150.10.103.62586 -> 172.24.1.213.22: ack 533124325

 

SEC (VPN) # diagnose sniffer packet any 'dst host 172.24.1.213' interfaces=[any] filters=[dst host 151.236.128.213] 15.330363 192.168.1.71.1186 -> 172.24.1.213.22: syn 508999052 16.334103 192.168.1.71.1186 -> 172.24.1.213.22: syn 508999052 18.347741 192.168.1.71.1186 -> 172.24.1.213.22: syn 508999052 22.350150 192.168.1.71.1186 -> 172.24.1.213.22: syn 508999052

 

A remote site (sonicwall) has two subnets that needs to connect to the local site (fortigate 100E) with multiple subnets.

Remote subnets 172.16.1.0/24 and 192.168.1.0/24. These subnets are grouped in "Remote-SiteA-grp"

Local subnets 172.24.1.0/24, 172.28.1.0/24 and 192.168.254.0/24. These subnets are grouped in "Local-Application-grp"

On the fortigate I have a IP pool

Name: "SNAT-Remote-SiteA" 

Type: Overload

External IP Range: 10.150.10.10 - 10.150.10.254 

 

On the fortigate I configured the IPsec tunnel, the tunnel is UP.

 

Incoming Policy:

Name: From_L2L_Remote-SiteA

Incoming Interface: L2L_Remote-SiteA

Outgoing Interface: VPN-external

Source: Remote-SiteA-grp

Destination: Local-Application-grp

 

NAT: enabled

IP Pool Configuration: Use Dynamic IP Pool

Using pool: SNAT-Remote-SiteA

 

There is also an outgoing policy:

Name: To_L2L_Remote-SiteA

Incoming Interface: VPN-external

Outgoing Interface: L2L_Remote-SiteA

Source: Local-Application-grp

Destination: Remote-SiteA-grp

 

Any idea what goes wrong here?

 

2 replies

ESCHAN_FTNT
Staff
ESCHAN_FTNT
Staff
October 13, 2022

Hi paulvisser, try to perform debug flow on FGT to have more understanding on the packet flow. Refer to https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow for debug flow.

scan888
scan888
New Member
October 13, 2022

Hello

 

From my understanding that is your scenario.

Could you please check if you have the right routing entries and the phase2 settings are correct.

Untitled Diagram.drawio.png

 

Next, we need the formatted output from the debug flow as @ESCHAN_FTNT has written.

Terms & ConditionsAccessibility statement