FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KumarV
Staff
Staff
Article Id 358210
Description

This article describes how to advertise NATted IP’s into the BGP routing table. This concept is useful when IPSEC VPN has overlapping subnets on both sites and BGP is used as a routing protocol.

Scope FortiGate.
Solution

The following commands configure IPPOOL to NAT the subnet 192.168.0.0/24 to 10.168.0.0/24.

 

config firewall ippool

     edit "Test"

         set type fixed-port-range

         set startip 192.168.0.1

         set endip 192.168.0.254

         set source-startip 10.168.0.1

         set source-endip 10.168.0.254

         set arp-reply disable

     next

 end

 

The following commands show the steps to advertise the NATted IP’s into BGP.

 

config router bgp

     set as 65000

     set router-id 1.1.1.1

     set network-import-check disable <----- This needs to be disabled if there is no active route for 10.168.0.0/24.

     config neighbor                     <----- Routing table of FortiGate

         edit "169.14.30.10"

             set remote-as 65000

             set local-as 65001

         next

     end

     config network

         edit 1

             set prefix 10.168.0.0 255.255.255.0

         next

     end

 end

 

 

Instead of using this command, it's possible to configure a static route to a blackhole:

 

config router static
edit 22
set dst 10.168.0.0 255.255.255.0
set blackhole enable
set vrf 0
next

 

This will populate the prefix on the RIB, allowing BGP to announce via the network command without using "set network-import-check disable"

 

# get router info routing-table details 10.168.0.0/24

Routing table for VRF=0
Routing entry for 10.168.0.0/24
Known via "static", distance 10, metric 0, best
* directly connected, Null

 

Related article:

Site-to-site VPN with overlapping subnets