Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aproost
New Contributor

Conflicting IP range in IpSec Tunnel Site-to-Site

Hello,

We got two Customers that want to connect to our Datacentre. But both customers have the same IP-Range and both don't wanna change the IP-range. See image/attachment.

All Firewalls are Fortigates, except Customer 1.

What is working now:

-Customer 1 : Connects to Vlan1001 only.
-Customer 2 / Site 2 : Connect to Vlan1002 only.
-Customer 2 / Site 3 : Connect to Vlan1002 only.
-Customer 2, Connection Site 1 to 2 - Connection Site 2 - 3 - Connection Site 1 - 3 

aproost_1-1675783571677.png

 

How can I resolve this for Customer 2 Site 1 and keep the Site-to-Site connections for Site 1 - 2 -3?

 

4 REPLIES 4
gfleming
Staff
Staff

It depends on which resources are being accessed over the VPN. If it's just Customer X accessing resources on your side then you can just use source NAT on your Firewall Policies to masquerade their real overlapping IP addresses.

 

If you are also accessing (and initiating connections to) resources in their environment you can use DNAT rules in a similar fashion.

Cheers,
Graham
Debbie_FTNT
Staff
Staff

In addition to Graham's update on using source NAT and destination NAT where appropriate, we have somewhat related configuration example:

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/426761/site-to-site-vpn-with-overlappin...

While this is for a somewhat older firmware version, the configuration steps should have remained largely the same.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
aproost
New Contributor

-Customer 1 must only access Vlan1001
-Customer 2 (all three sites) must only access Vlan1002

 

Because Customer 1 and Customer 2 (Site1) have the same LAN address. But they don't need to access eachother. If i'm changing only Site 1, do I have to change Site 2 and 3 also?

 

gfleming

The requirements simplify things quite a bit. Indeed you only need to SNAT Customer 1's traffic. Customer 2's traffic can be left alone.

 

So if it's all just inbound traffic from Customer 1 (nothing initiated from your side to them), just enable NAT on the FW Policy that allows them to access VLAN1001.

Cheers,
Graham
Labels
Top Kudoed Authors