Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aproost
New Contributor

Created on ‎02-07-2023 07:28 AM Edited on ‎02-07-2023 07:29 AM

Conflicting IP range in IpSec Tunnel Site-to-Site

Hello,

We got two Customers that want to connect to our Datacentre. But both customers have the same IP-Range and both don't wanna change the IP-range. See image/attachment.

All Firewalls are Fortigates, except Customer 1.

What is working now:

-Customer 1 : Connects to Vlan1001 only.
-Customer 2 / Site 2 : Connect to Vlan1002 only.
-Customer 2 / Site 3 : Connect to Vlan1002 only.
-Customer 2, Connection Site 1 to 2 - Connection Site 2 - 3 - Connection Site 1 - 3 

aproost_1-1675783571677.png

 

How can I resolve this for Customer 2 Site 1 and keep the Site-to-Site connections for Site 1 - 2 -3?

 

Labels:
1835
0 Kudos
4 REPLIES 4
gfleming
Staff
Staff

Created on ‎02-07-2023 11:35 AM

It depends on which resources are being accessed over the VPN. If it's just Customer X accessing resources on your side then you can just use source NAT on your Firewall Policies to masquerade their real overlapping IP addresses.

 

If you are also accessing (and initiating connections to) resources in their environment you can use DNAT rules in a similar fashion.

Cheers,
Graham
1818
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎02-08-2023 02:43 AM

In addition to Graham's update on using source NAT and destination NAT where appropriate, we have somewhat related configuration example:

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/426761/site-to-site-vpn-with-overlappin...

While this is for a somewhat older firmware version, the configuration steps should have remained largely the same.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1797
0 Kudos
aproost
New Contributor

Created on ‎02-08-2023 03:16 AM

-Customer 1 must only access Vlan1001
-Customer 2 (all three sites) must only access Vlan1002

 

Because Customer 1 and Customer 2 (Site1) have the same LAN address. But they don't need to access eachother. If i'm changing only Site 1, do I have to change Site 2 and 3 also?

 

1791
0 Kudos
gfleming
Staff
Staff
In response to aproost

Created on ‎02-08-2023 10:27 AM

The requirements simplify things quite a bit. Indeed you only need to SNAT Customer 1's traffic. Customer 2's traffic can be left alone.

 

So if it's all just inbound traffic from Customer 1 (nothing initiated from your side to them), just enable NAT on the FW Policy that allows them to access VLAN1001.

Cheers,
Graham
1783
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.