Hi guys,
Hoping someone can assist with the following: I need to create a site to site VPN, with a requirement to hide my LAN behind a single /32 IP. What is the suggested config to achieve this?.
Any advice, suggestions and or links would be greatly appreciated.
Thanks,
Source NAT is done via "IP pools" which can be defined with a /32 address. You put the IP pool into the policy 'internal' -> 'tunnel', and that's all. IPsec VPNs are handled like (virtual) ports, you can apply all regular features in the policy (like NAT).
'Double NAT' doesn't ring a bell with me in this scenario but you may post if anything is missing.
That worked perfectly ! Thank you.
Another question if I may, If I take this a step further and NAT the Destination address from 192.168.1.x to an IP address on the same subnet as my IP Pool and internal LAN 172.16.1.x - should I use a VIP to NAT the dest IP?
(sorry, your post skipped me...)
Yes, the feature for Destination NAT is a VIP. You can use VIPs on the policy 'internal' to 'tunnel' to achieve this.
This will work because the FGT will proxy for it's VIPs, i.e. answer arp requests etc.
Double NATting a remote network into the local LAN address range can be tricky though, at least avoid address overlaps.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.