Description
Solution
This article presents two scenarios to explain how to make use of the Source and Destination NAT in a Policy Based VPN.
Scenario 1: Using Source NAT between Site A and Site B.
Scenario 2: Traffic hitting on Site A should be forwarded to a specific server on Site B.
Scenario 1: Using Source NAT between Site A and Site B.
This scenario illustrates Policy Based VPN between 2 sites and explains how to Source NAT a specific IP in Site A before reaching Site B. The same logic can be used to Source NAT a whole subnet.
Scenario 2: Traffic hitting on Site A should be forwarded to a specific server on Site B.
This scenario illustrates how to use Destination NAT in a policy based VPN.
Solution
Scenario 1: Using Source NAT between Site A and Site B.
This scenario illustrates Policy Based VPN between 2 sites and explains how to Source NAT a specific IP in Site A before reaching Site B. The same logic can be used to Source NAT a whole subnet.
Topology
Site A Setup:
WAN IP : 10.0.18.25
LAN IP : 10.129.0.25/23
Local IP which should be Natted: 10.129.0.24 (with 20.20.20.20)
No selectors are shown in this phase2, which means it has 0.0.0.0/0 selected as quick mode selectors.
Address Objects
Create Address objects for ’10.129.0.24/32’ ‘10.129.0.0/23’ and ’10.130.0.0/23’.
Firewall Policies
Two Firewall policies are needed:
WAN IP : 10.0.18.45
LAN IP : 10.130.0.45/23
VPN configuration
Create Address objects for ’20.20.20.20/32’, ‘10.129.0.0/23’ and ’10.130.0.0/23’.
Firewall Policies
Once the above is done, whenever the source ’10.129.0.24’ tries to access the remote 10.130.0.0/23, it will be natted to ’20.20.20.20’.
Any other IP from the same subnet ’10.129.0.0’ will use their own IP without any NAT.
Scenario 2: Traffic hitting on Site A should be forwarded to a specific server on Site B.
This scenario illustrates how to use Destination NAT in a policy based VPN.
Topology
Site A Setup
WAN IP : 10.0.18.25
Free WANIP : 10.0.18.11
LAN IP : 10.129.0.25/23
Create Address Objects for Local and Remote subnets.
VPN configuration
VIP
A one-one NAT can be used without port forwarding as well (depends on the requirement).
Firewall policies
DEBUG
How the tunnel and traffic should look when the debug commands are run:
Debug Flow on the Site A
It can be seen that the traffic hits the Site A’s VIP and the FortiGate forwards it to the remote site by natting the source to 10.0.18.11.
This is recommended, because the VIP is allowing everyone on the Internet and instead of allowing the complete internet, only a single IP is needed to be allowed on the Site B.
Site B Setup
WAN IP : 10.0.18.45
LAN IP : 10.130.0.45/23
Address Objects
Create Address Objects for Local and Remote subnets.
VPN Configuration
DEBUG
How the tunnel and traffic should look when the debug commands are run:
Debug Flow on the Site A
This scenario illustrates Policy Based VPN between 2 sites and explains how to Source NAT a specific IP in Site A before reaching Site B. The same logic can be used to Source NAT a whole subnet.
Topology
Site A Setup:
WAN IP : 10.0.18.25
LAN IP : 10.129.0.25/23
Local IP which should be Natted: 10.129.0.24 (with 20.20.20.20)
config vpn ipsec phase1
edit "VPN_To_Atl36"
set interface "port1"
set proposal des-md5 des-sha1
set remote-gw 10.0.18.45
next
end
config vpn ipsec phase2
edit "Phase2"
set phase1name "VPN_To_Atl36"
set proposal des-md5 des-sha1
set use-natip disable
end
No selectors are shown in this phase2, which means it has 0.0.0.0/0 selected as quick mode selectors.
Address Objects
Create Address objects for ’10.129.0.24/32’ ‘10.129.0.0/23’ and ’10.130.0.0/23’.
Firewall Policies
Two Firewall policies are needed:
config firewall policySite B Setup:
edit 2
set srcintf "port2"
set dstintf "port1"
set srcaddr "10.129.0.24"
set dstaddr "Remote_LAN_10.130"
set action ipsec
set schedule "always"
set service "ANY"
set natip 20.20.20.20 255.255.255.255
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "VPN_To_Atl36"
next
edit 3
set srcintf "port2"
set dstintf "port1"
set srcaddr "LAN_10.129.0.0"
set dstaddr "Remote_LAN_10.130"
set action ipsec
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "VPN_To_Atl36"
next
end
WAN IP : 10.0.18.45
LAN IP : 10.130.0.45/23
VPN configuration
config vpn ipsec phase1Address Objects
edit "VPN_To_Atl_16"
set interface "port1"
set remote-gw 10.0.18.25
end
config vpn ipsec phase2
edit "Phase2"
set phase1name "VPN_To_Atl_16"
next
end
Create Address objects for ’20.20.20.20/32’, ‘10.129.0.0/23’ and ’10.130.0.0/23’.
Firewall Policies
config firewall policy
edit 3
set srcintf "port2"
set dstintf "port1"
set srcaddr "Local_10.130"
set dstaddr "20.20.20.20"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set outbound enable
set vpntunnel "VPN_To_Atl_16"
next
edit 4
set srcintf "port2"
set dstintf "port1"
set srcaddr "Local_10.130"
set dstaddr "Remote_10.129"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set outbound enable
set vpntunnel "VPN_To_Atl_16"
next
end
Once the above is done, whenever the source ’10.129.0.24’ tries to access the remote 10.130.0.0/23, it will be natted to ’20.20.20.20’.
Any other IP from the same subnet ’10.129.0.0’ will use their own IP without any NAT.
Scenario 2: Traffic hitting on Site A should be forwarded to a specific server on Site B.
This scenario illustrates how to use Destination NAT in a policy based VPN.
Topology
Site A Setup
WAN IP : 10.0.18.25
Free WANIP : 10.0.18.11
LAN IP : 10.129.0.25/23
Create Address Objects for Local and Remote subnets.
VPN configuration
config vpn ipsec phase1
edit "VPN_to_Atl_36"
set interface "port1"
set remote-gw 10.0.18.45
next
end
config vpn ipsec phase2
edit "VPN_to_Atl_36"
set phase1name "VPN_to_Atl_36"
set use-natip disable
set pfs disable
set replay disable
next
end
VIP
config firewall vip
edit "VIP"
set extip 10.0.18.11
set extintf "port1"
set portforward enable
set mappedip "10.130.0.44"
set extport 8080
set mappedport 8080
next
end
A one-one NAT can be used without port forwarding as well (depends on the requirement).
Firewall policies
config firewall policy
edit 2
set srcintf "port2"
set dstintf "port1"
set srcaddr "Internal_10.129"
set dstaddr "Remote_10.130"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set outbound enable
set vpntunnel "VPN_to_Atl_36"
next
edit 3
set srcintf "port1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "VIP"
set action ipsec
set schedule "always"
set service "ALL"
set natip 10.0.18.11 255.255.255.255
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "VPN_to_Atl_36"
next
end
DEBUG
How the tunnel and traffic should look when the debug commands are run:
SiteA # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_to_Atl_36 ver=1 serial=1 10.0.18.25:0->10.0.18.45:0 lgwy=static tun=tunnel mode=auto bound_if=2
proxyid_num=1 child_num=0 refcnt=9 ilast=0 olast=0
stat: rxp=42 txp=90 rxb=4928 txb=4904
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=1487
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_to_Atl_36 proto=0 sa=1 ref=2 serial=2
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=0000004c type=00 soft=0 mtu=1438 expire=40758/0B replaywin=0 seqno=29
life: type=01 bytes=0/0 timeout=43151/43200
dec: spi=9af30383 esp=aes key=16 9699fa30efc110c9cc335b23806a731d
ah=sha1 key=20 6cf7508c489d4d8fe71a514dd2136945375771f0
enc: spi=103b3c89 esp=aes key=16 cbf7c9c4d2516b12a73b88918f4eb153
ah=sha1 key=20 ad171e92b5d5b75a831861ebe401f40991cf2185
dec:pkts/bytes=23/1200, enc:pkts/bytes=40/4928
Debug Flow on the Site A
id=20085 trace_id=65 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 172.26.73.11:50798->10.0.18.11:8080) from port1. flag [S], seq 1398181761, ack 0, win 8192"
id=20085 trace_id=65 func=init_ip_session_common line=4569 msg="allocate a new session-0000151a"
id=20085 trace_id=65 func=fw_pre_route_handler line=176 msg="VIP-10.130.0.44:8080, outdev-port1"
id=20085 trace_id=65 func=__ip_session_run_tuple line=2564 msg="DNAT 10.0.18.11:8080->10.130.0.44:8080"
id=20085 trace_id=65 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.0.19.254 via port1"
id=20085 trace_id=65 func=fw_forward_handler line=671 msg="Allowed by Policy-3: encrypt SNAT"
id=20085 trace_id=65 func=__ip_session_run_tuple line=2550 msg="SNAT 172.26.73.11->10.0.18.11:50798"
id=20085 trace_id=65 func=ipsec_tunnel_output4 line=868 msg="enter IPsec tunnel-VPN_to_Atl_36"
id=20085 trace_id=65 func=ipsec_output_finish line=232 msg="send to 10.0.18.45 via intf-port1"
id=20085 trace_id=65 func=esp_output4 line=897 msg="encrypting, and send to 10.0.18.45 with source 10.0.18.25"
It can be seen that the traffic hits the Site A’s VIP and the FortiGate forwards it to the remote site by natting the source to 10.0.18.11.
This is recommended, because the VIP is allowing everyone on the Internet and instead of allowing the complete internet, only a single IP is needed to be allowed on the Site B.
Site B Setup
WAN IP : 10.0.18.45
LAN IP : 10.130.0.45/23
Address Objects
Create Address Objects for Local and Remote subnets.
VPN Configuration
config vpn ipsec phase1Firewall policy
edit "VPN_To_Atl_16"
set interface "port1"
set remote-gw 10.0.18.25
next
end
config vpn ipsec phase2
edit "VPN_To_Atl_16"
set phase1name "VPN_To_Atl_16"
set pfs disable
set replay disable
next
end
config firewall policy
edit 6
set srcintf "port2"
set dstintf "port1"
set srcaddr "Local_10.130"
set dstaddr "Remote_10.129" "10.0.18.11"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set outbound enable
set vpntunnel "VPN_To_Atl_16"
next
DEBUG
How the tunnel and traffic should look when the debug commands are run:
atlantis-svb36 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_To_Atl_16 ver=1 serial=2 10.0.18.45:0->10.0.18.25:0 lgwy=static tun=tunnel mode=auto bound_if=2proxyid_num=1 child_num=0 refcnt=7 ilast=1 olast=1
stat: rxp=90 txp=42 rxb=10992 txb=2332
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=1551
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_To_Atl_16 proto=0 sa=1 ref=2 serial=2
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=0000000c type=00 soft=0 mtu=1438 expire=40739/0B replaywin=0 seqno=18
life: type=01 bytes=0/0 timeout=43174/43200
dec: spi=103b3c89 esp=aes key=16 cbf7c9c4d2516b12a73b88918f4eb153
ah=sha1 key=20 ad171e92b5d5b75a831861ebe401f40991cf2185
enc: spi=9af30383 esp=aes key=16 9699fa30efc110c9cc335b23806a731d
ah=sha1 key=20 6cf7508c489d4d8fe71a514dd2136945375771f0
dec:pkts/bytes=40/2212, enc:pkts/bytes=23/2616
Debug Flow on the Site A
2015-09-30 02:29:50 id=20085 trace_id=406 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.0.18.11:51279->10.130.0.44:8080) from port1. flag [S], seq 1577468677, ack 0, win 8192"
2015-09-30 02:29:50 id=20085 trace_id=406 func=init_ip_session_common line=4569 msg="allocate a new session-000003cc"
2015-09-30 02:29:50 id=20085 trace_id=406 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.130.0.44 via port2"
2015-09-30 02:
