Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
John_Dunne
New Contributor

Double NAT & Site to Site VPN

Hi guys,

 

Hoping someone can assist with the following: I need to create a site to site VPN, with a requirement to hide my LAN behind a single /32 IP. What is the suggested config to achieve this?.

 

Any advice, suggestions and or links would be greatly appreciated.

 

Thanks,

3 REPLIES 3
ede_pfau
SuperUser
SuperUser

Source NAT is done via "IP pools" which can be defined with a /32 address. You put the IP pool into the policy 'internal' -> 'tunnel', and that's all. IPsec VPNs are handled like (virtual) ports, you can apply all regular features in the policy (like NAT).

'Double NAT' doesn't ring a bell with me in this scenario but you may post if anything is missing.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
John_Dunne

That worked perfectly ! Thank you.

 

Another question if I may, If I take this a step further and NAT the Destination address from 192.168.1.x to an IP address on the same subnet as my IP Pool and internal LAN 172.16.1.x - should I use a VIP to NAT the dest IP?

 

ede_pfau

(sorry, your post skipped me...)

Yes, the feature for Destination NAT is a VIP. You can use VIPs on the policy 'internal' to 'tunnel' to achieve this.

This will work because the FGT will proxy for it's VIPs, i.e. answer arp requests etc.

Double NATting a remote network into the local LAN address range can be tricky though, at least avoid address overlaps.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors