Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hansmeets
New Contributor

IPsec tunnel with DNAT and SNAT

Hi all,

 

I'm working on a case where I have to replace a current IPsec tunnel with Fortigate HW, where the traffic should be NAT'ed in both directions (i've addad a network drawing for clarification).

 

- I have simplified WAN IP addressing for my lab

- SITE B is managed by another company

- Traffic to SITE B is directed to the public IP address (DNAT by firewall B), and only accepted from public range on SITE A (SNAT by firewall A)

- Traffic from SITE B is delivered on the public IP address of SITE A and should be NAT'ed to internal (DNAT)

 

Example:

- 10.200.0.100 delivers a print job to 10.0.0.11, port 10000

- FortiGate in SITE A should DNAT the traffic to 10.100.0.200, port 9100

 

I am unable to get the DNAT into SITE A working. I've tried both Policy-based IPsec and Route-based IPsec.

- With Policy-based IPsec I am unable to select the IPsec tunnel on a policy with WAN as source and LAN as destination (IPsec selection list is empty), only the other way. I have referred to https://kb.fortinet.com/kb/documentLink.do?externalID=FD37522 scenario 2 , although the VIP should not be wan-wan in my case but wan-lan.

- With Route-based IPsec I can't get it done to pass the traffic to 10.0.0.11 and have the firewall take care of the VIP. I keep getting policy violations where the traffic is recognized as coming from WAN instead of the IPsec tunnel.

 

I was hoping that someone might help in this matter! Thanks in advance.

 

1 REPLY 1
emnoc
Esteemed Contributor III

1st you can do DNAT/SNAT in a ipsec tunnel

 

[ul]
  • what is your configuration? and policy ?[/ul]

     

    [ul]
  • also why do you need to dnat/snat in. rfc1918 address space ? [/ul]

     

    [ul]
  • did you run "diag debug flow "[/ul]

     

    Hint: on phase2 when you do NAT make sure you allow the NAT'd address in the phase2 selectors and with route--vpn you have a route for the proper NAT'd address

     

     

    Ken Felix

  • PCNSE 

    NSE 

    StrongSwan