Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

External IP maps to other end of the VPN site-to-site



I'm not sure if I maybe overthinking it, but is there a way to map an external IP in location A to an internal IP in location B over site-to-site VPN tunnel? I believe Ext IP has to be allowed in location B's firewall, correct? Unless, I can somehow mask it to go through the tunnel as part of the remote subnet to location B?




Valued Contributor



Yes, that is very easy to do. However, the server on the "other" side (Site B), must be able to route back through the tunnel.


An example:

A client on the internet with IP connects to firewall A.

Firewall A has a VIP which will point to an Internal IP in Site B,

The server in Site B with IP, will see the source IP, and will send his reply to (default gateway), if firewall B will have a default route to the internet with, the client will never receive the reponse, as it would go out on the internet, and come from a different IP.

To solve this, you would need to NAT in firewall A, to lets say

Then the Server in Site B will see as source IP, and will route that back over the VPN tunnel, because in this example is a known network in Site A.

The downside to this is that you will only see as source IP in the server logs, but it will work.


I hope it was understandable :)

FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C

Thanks Selective!


I understand the concept but for whatever reason I can't make it to work. Here's what I'm doing:

Site A is (allows all traffic through the tunnel). External IP

Site B is (allows all traffic through the tunnel). Internal host

I created an IP address IP1 in Fortigate (Addresses), I created VIP1> and VIP2>

I build 2 policies:

NAT1 -  WAN->MGMT - External source -> VIP 1

NAT2 - MGMT->Tunnel - IP1 -> VIP 2


From what I understand, I'm getting a packet with as the source in my WAN. It than being NATted into, and then it is being NATted again from to and being sent across the tunnel.


Let me know if my thought process is correct.

New Contributor

Still can't get it to work. Would someone be able to pin point me at what am I doing wrong here?


Seems like Selective hasn't been back online since his last reply.


Top Kudoed Authors