FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to troubleshoot a policy not working with Source NAT IP addresses. The policy is created from LAN to a server via IPSec Tunnel with SNAT enabled, but the user cannot telnet to the server.
Scope
FortiGate.
Solution
To resolve the policy not working with Source NAT IP addresses, follow these steps:
Make sure the route to the destination is learned from the correct interface. In this case, the route was learned from BGP via WAN2, while a static route with /16 was created for the destination subnet via the tunnel interface.
Since the route learned from BGP was /32 via WAN2, FortiGate is sending the traffic out via WAN2 instead of the tunnel interface.
Verify that the more specific route (longer subnet mask) takes precedence. A /32 covers exactly one IP address, so it is more specific than/16.
Add a static route for the destination server with /32. This will ensure that the traffic is routed correctly.
After adding the static route, verify that the user can telnet to the server.
The remote side needs to know which source IPs are allowed over the tunnel, which means that the SNAT IP must be a part of Phase2 selectors.
By following these steps, the policy should now be working correctly with the Source NAT IP addresses.
