Hi,
New to the forum and fortigate products. I was wondering if anyone can help? I have a scenario that is driving me up the wall. I have a IPSEC to a third party but their address space overlaps with my own. I want to mask the 3rd parties address by passing it through a NAT so it' s routable on my network. As of yet I have had limited success i.e it being unidirectional.
I have attached an image of what I' m trying to do and would appreciate any feedback anyone can offer.
Thanks
Okay here' s what I would do. Forgive me for my abruptness int he cfg since I build this cfg during intervals of me upgrading cisco ASA
I hope I' m clear and didn' t missed anything. Keep in mind you need to adjust the phase2 proxy-id to match the Src and Dst address of the real traffic expected. In this case, I' m using 9.9.9.9 on the right side. I' m assuming the " 3rd party" firewall admin has already NAT' d the 10.10.10.x into the 8.8.8.8.
1st
Let' s fix up the vpn-p2 traffic from 8.8.8.8 <----> 9.9.9.9, 9.9.9.9 will be my vip and ippool later on in this cfg.
config vpn ipsec phase2-interface
edit " 3rd Party P2"
set keepalive enable
set pfs disable
set phase1name " 3rd Party"
set proposal aes128-sha1
set dst-subnet 8.8.8.8 255.255.255.255
set keylifeseconds 3600
set src-subnet 9.9.9.9 255.255.255.255 â†- change this to your SNAT
next
end
2nd
Next on the vip let’s change some stuff & you only need one for the DNAT. This a static VIP mapped 1-2-1
config firewall vip
edit " right-side"
set extip 9.9.9.9-9.9.9.9
set color 12
set comment “ my 1-2-1 VIP adjust it to whatever if requiredâ€
set extintf " 3rd Party" â†since you have rt-based vpn put the interface
set mappedip 10.10.10.100-10.10.10.100 [B â†--this is DNAT so put the real address
next
You could also built this as a 1 on 1 mapping ;
9.9.9.1 >>>>>>> 10.10.10.1
9.9.9.2 >>>>>>> 10.10.10.2
9.9.9.3 >>>>>>> 10.10.10.3
9.9.9.4 >>>>>>> 10.10.10.4
and so on......
3rd
Now let’s make a pool & some firewall address that we will throw into the firewall policies;
A overload ippool for nat so you could map all of the 10.10.10.0/24 address space if required
config firewall ippool
edit " 9_9_9_9"
set startip 9.9.9.9
set endip 9.9.9.9
set comments " this is for SNAT\' ing the right side 10.10.10.0/24 "
next
end
and
config firewall address
edit MYLAN
set subnet 10.10.10.0/24
next
edit HOST_8_8_8_8
set subnet 8.8.8.8/32
set comment “ 8.8.8.8 on the left sideâ€
end
Now let’s tie up the final firewall policies to allow the right-side to access the network ( 8.8.8.8 ) on the left-side. You will adjust the policies for whatever services you need.
config firewall policy
edit 0
set srcintf " internal1"
set dstintf " 3rd Party"
set srcaddr " MYLAN1"
set dstaddr " HOST_8_8_8_8"
set action accept
set schedule " always"
set service " ALL"
set nat enable
set ippool enable
set poolname " 9_9_9_9" â†--install ippool here
next
and for traffic from 3rd party to you over the tunnel ( route-based vpn )
config firewall policy
edit 0
set dstintf " internal1"
set srcintf " 3rd Party"
set srcaddr " HOST_8_8_8_8"
set srcaddr " right-side" <----our vip
set action accept
set schedule " always"
set service " ALL"
next
I hope that clears it up. Remember to run diag debug flow if your have problems with connectivity
I hope I' m clear and didn' t missed anything. Keep in mind you need to adjust the phase2 proxy-id to match the Src and Dst address of the real traffic expected. In this case, I' m using 9.9.9.9 on the right side. I' m assuming the " 3rd party" firewall admin has already NAT' d the 10.10.10.x into the 8.8.8.8.
1st
Let' s fix up the vpn-p2 traffic from 8.8.8.8 <----> 9.9.9.9, 9.9.9.9 will be my vip and ippool later on in this cfg.
config vpn ipsec phase2-interface
edit " 3rd Party P2"
set keepalive enable
set pfs disable
set phase1name " 3rd Party"
set proposal aes128-sha1
set dst-subnet 8.8.8.8 255.255.255.255
set keylifeseconds 3600
set src-subnet 9.9.9.9 255.255.255.255 â†- change this to your SNAT
next
end
2nd
Next on the vip let’s change some stuff & you only need one for the DNAT. This a static VIP mapped 1-2-1
config firewall vip
edit " right-side"
set extip 9.9.9.9-9.9.9.9
set color 12
set comment “ my 1-2-1 VIP adjust it to whatever if requiredâ€
set extintf " 3rd Party" â†since you have rt-based vpn put the interface
set mappedip 10.10.10.100-10.10.10.100 [B â†--this is DNAT so put the real address
next
You could also built this as a 1 on 1 mapping ;
9.9.9.1 >>>>>>> 10.10.10.1
9.9.9.2 >>>>>>> 10.10.10.2
9.9.9.3 >>>>>>> 10.10.10.3
9.9.9.4 >>>>>>> 10.10.10.4
and so on......
3rd
Now let’s make a pool & some firewall address that we will throw into the firewall policies;
A overload ippool for nat so you could map all of the 10.10.10.0/24 address space if required
config firewall ippool
edit " 9_9_9_9"
set startip 9.9.9.9
set endip 9.9.9.9
set comments " this is for SNAT\' ing the right side 10.10.10.0/24 "
next
end
and
config firewall address
edit MYLAN
set subnet 10.10.10.0/24
next
edit HOST_8_8_8_8
set subnet 8.8.8.8/32
set comment “ 8.8.8.8 on the left sideâ€
end
Now let’s tie up the final firewall policies to allow the right-side to access the network ( 8.8.8.8 ) on the left-side. You will adjust the policies for whatever services you need.
config firewall policy
edit 0
set srcintf " internal1"
set dstintf " 3rd Party"
set srcaddr " MYLAN1"
set dstaddr " HOST_8_8_8_8"
set action accept
set schedule " always"
set service " ALL"
set nat enable
set ippool enable
set poolname " 9_9_9_9" â†--install ippool here
next
and for traffic from 3rd party to you over the tunnel ( route-based vpn )
config firewall policy
edit 0
set dstintf " internal1"
set srcintf " 3rd Party"
set srcaddr " HOST_8_8_8_8"
set srcaddr " right-side" <----our vip
set action accept
set schedule " always"
set service " ALL"
next
I hope that clears it up. Remember to run diag debug flow if your have problems with connectivity
