Description |
This article describes how to advertise NATted IP’s into the BGP routing table. This concept is useful when IPSEC VPN has overlapping subnets on both sites and BGP is used as a routing protocol. |
Scope | FortiGate. |
Solution |
The following commands configure IPPOOL to NAT the subnet 192.168.0.0/24 to 10.168.0.0/24.
config firewall ippool edit "Test" set type fixed-port-range set startip 192.168.0.1 set endip 192.168.0.254 set source-startip 10.168.0.1 set source-endip 10.168.0.254 set arp-reply disable next end
The following commands show the steps to advertise the NATted IP’s into BGP.
config router bgp set as 65000 set router-id 1.1.1.1 set network-import-check disable <----- This needs to be disabled if there is no active route for 10.168.0.0/24. config neighbor <----- Routing table of FortiGate edit "169.14.30.10" set remote-as 65000 set local-as 65001 next end config network edit 1 set prefix 10.168.0.0 255.255.255.0 next end end
Instead of using this command, it's possible to configure a static route to a blackhole:
config router static
This will populate the prefix on the RIB, allowing BGP to announce via the network command without using "set network-import-check disable"
# get router info routing-table details 10.168.0.0/24 Routing table for VRF=0
Related article: |