- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: DNAT before IPSEC VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNAT before IPSEC VPN
Hello,
We have a requirement to create a simple IPSec VPN to another customer who is also using a Fortigate firewall at their end.
However, due to a conflict of subnets in our environment, I need to destination NAT their subnet before it hits the IPSec VPN.
Is this even possible? I was of the view that the remote end would have to NAT their subnet that conflicts with our environment and provide us with a new subnet that we can use to route over IPSec VPN. However, the remote end customer is adamant that this should be done at our end.
So in other words, I need to do a DNAT before the traffic hits the IPSec VPN tunnel from our end.
Can someone please help with this?
Thanks.
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to do both: destination NAT for traffic to the tunnel, and source NAT for traffic from the tunnel.
DNAT is done via VIP, SNAT by ip pool. But you can use VIPs for both.
You've got 2 policies in which you put the NAT into effect.
The egress policy needs a VIP as the destination address, attached to the tunnel interface. Don't use "port forwarding" in it. This way, reply traffic (from remote to your LAN) will be source NATted automatically.
The second policy (ingress) will have to source NAT the remote traffic, and will have to do DNAT to the reply traffic. So this will need a bit of trying out until you get it done (sorry, lack of time).
One last thought: you should NAT 1:1, say a /24 subnet to a /24 subnet. And the (virtual) NAT subnet needs to be known on your FGT, so install a route to it, pointing to the tunnel.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not so complicated.
On your side, you only operate with the 10.1.1 subnet. Every host address (like 10.1.1.222) is translated 1:1 into an address in 192.168.1 (like 192.168.1.222). That is, the remote address range is not visible on your side, and can therefore be used for other purposes.
You will have to learn new addresses for the remote hosts, or rather, your DNS.
OTOH, in order that routing on the remote side still be working, your source addresses need to be NATted as well. It might just happen that you use an address from 192.168.1, and that would be confused on the remote side with a local address (and thus not routed back into the tunnel).
So, the remote side will have to deal with, say, the 10.100.1 subnet if it addresses your LAN.
There is a write-up in the Knowledgebase (https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872) which contains a WORD document with screenshots. This might help to visualize the setup.
Unfortunately, [strike]it contains a grave error in the setup of the second FGT (FG-311B). The VIP on this side must have an 'external IP' of 172.16.201.x, not 172.16.200.x (as this is used on the remote side).[/strike] I was too dumb to understand it properly...worked it through and it will work as documented.
I would strive to use subnet ranges for the 'virtual' subnets as distinct as can be, like for a VPN between a FG-40C and a FG-311B 172.16.40.x and 172.16.31.x, resp.
---------
about DNAT: a VIP not only exchanges the destination IP, but for reply traffic going into the other direction it automatically replaces the source address, so that the 'hidden' server behind the VIP really is hidden. That's what I meant.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to do both: destination NAT for traffic to the tunnel, and source NAT for traffic from the tunnel.
DNAT is done via VIP, SNAT by ip pool. But you can use VIPs for both.
You've got 2 policies in which you put the NAT into effect.
The egress policy needs a VIP as the destination address, attached to the tunnel interface. Don't use "port forwarding" in it. This way, reply traffic (from remote to your LAN) will be source NATted automatically.
The second policy (ingress) will have to source NAT the remote traffic, and will have to do DNAT to the reply traffic. So this will need a bit of trying out until you get it done (sorry, lack of time).
One last thought: you should NAT 1:1, say a /24 subnet to a /24 subnet. And the (virtual) NAT subnet needs to be known on your FGT, so install a route to it, pointing to the tunnel.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for providing some good details there.
ede_pfau wrote:
The second policy (ingress) will have to source NAT the remote traffic, and will have to do DNAT to the reply traffic. So this will need a bit of trying out until you get it done (sorry, lack of time).
Although I did lose it a bit in above statement when you mentioned DNAT to reply traffic for second policy (ingress).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Further to this, if I may add, and I think it is important piece of the question that I should have stated earlier:
- We need to NAT since the original subnet at remote end is a Reserved subnet for our environment.
So, if I were to do DNAT at our end like is being suggested in above post, wouldn't it still mean that my Reserved subnet will effectively be blocked for use in future for the purpose it is reserved for? I mean, say if the customer destination subnet across this VPN tunnel is 192.168.1.0/24 and if it is a Reserved subnet in our environment for internal use, would using DNAT like being suggested, keep the 192.168.1.0/24 available to us when we need in future? To me it seems that by doing DNAT at our end, we would still have to map new subnet that we decide to use (say 10.1.1.0/24) to our Reserved subnet (192.168.1.0/24) and hence the reserved subnet won't be available for future use.
Henceforth I thought the only way to do this if the customer at remote end does a NAT for their 192.168.1.0/24 subnet to another range (say 10.1.1.0/24 again), and inform us of what to route to via the VPN tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not so complicated.
On your side, you only operate with the 10.1.1 subnet. Every host address (like 10.1.1.222) is translated 1:1 into an address in 192.168.1 (like 192.168.1.222). That is, the remote address range is not visible on your side, and can therefore be used for other purposes.
You will have to learn new addresses for the remote hosts, or rather, your DNS.
OTOH, in order that routing on the remote side still be working, your source addresses need to be NATted as well. It might just happen that you use an address from 192.168.1, and that would be confused on the remote side with a local address (and thus not routed back into the tunnel).
So, the remote side will have to deal with, say, the 10.100.1 subnet if it addresses your LAN.
There is a write-up in the Knowledgebase (https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872) which contains a WORD document with screenshots. This might help to visualize the setup.
Unfortunately, [strike]it contains a grave error in the setup of the second FGT (FG-311B). The VIP on this side must have an 'external IP' of 172.16.201.x, not 172.16.200.x (as this is used on the remote side).[/strike] I was too dumb to understand it properly...worked it through and it will work as documented.
I would strive to use subnet ranges for the 'virtual' subnets as distinct as can be, like for a VPN between a FG-40C and a FG-311B 172.16.40.x and 172.16.31.x, resp.
---------
about DNAT: a VIP not only exchanges the destination IP, but for reply traffic going into the other direction it automatically replaces the source address, so that the 'hidden' server behind the VIP really is hidden. That's what I meant.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for your detailed response again.
The Source IP at our end will be a Public IP so that shouldn't be a problem as far as source NAT requirements are concerned.
The rest of it, I will implement it tomorrow morning and let you know how I go, but seems clear to me now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sanket,
Does it worked for you?
Thanks,
Thanigai.R
Related Posts
- Multiple phase 2 selectors needed for... 121 Views
- Remote VPN Issue 98 Views
- IPsec tunnel stability issue - two... 189 Views
- IPSec client is blocked by implicit... 347 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 222 Views
Labels
-
FortiGate
6,496 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
FortiAuthenticator
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.