Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gateberg77
New Contributor II

Fortigate 40F Policy Based S2S with Source NAT

Hello,

i am trying to setup a VPN Site2Site connection, policy based with source NAT.

 

Fortigate 40F, v7.2.4

The target network is a customer network and cannot be configured.

 

I'm basically following the tutorial in this article (Scenario A)

https://community.fortinet.com/t5/FortiGate/Technical-Note-Policy-Based-IPsec-VPN-Using-Source-NAT-a...

 

The topology looks like this (where SiteB is Customer), and the NATting should only be done for the 10.129.0.24 IP Address (in my case, cus_local_subnet_1)

Screenshot 2023-05-16 at 13.00.55.png

Despite the article instructions, i'm doing the configuration from the Web Interface.

 

The VPN Tunnel is up and running for Phase 1 and Phase 2:

 

Screenshot 2023-05-16 at 13.09.12.png

 The problem starts, when i want to configure the Firewall policy. If i check "IPSec" in the policy, i loose the option to setup the IP Pool for Nating.

Screenshot 2023-05-16 at 13.04.03.png

 

On the other hand, if i choose "ACCEPT", i can choose the Nating, but i cannot set IPSEC on the policy.

 

Screenshot 2023-05-16 at 13.06.08.png

 

The article does not state how to handle this scenario, with the CLI it seems it can be defined:

 

Screenshot 2023-05-16 at 13.20.04.png

 

How can i bind the IPPool and NAT by also using the IPSEC in the policy?

 

 

5 REPLIES 5
AEK
SuperUser
SuperUser

Hi Gateberg

  1. Try to do it with CLI. Many features available with CLI can't be done with GUI
  2. Article is old, it may be related to FortiOS 5.x. Many commands and methods change between 5.x and 7.2.x. So you can find the right method in FGT 7.2 admin guide
AEK
AEK
gfleming
Staff
Staff

Is there a reason you are you using policy-based ipsec? Can you use route-based?

 

When using route-based you can just create a basic fw policy with SNAT applied for that one device.

Cheers,
Graham
gateberg77
New Contributor II

Route based is not possible, we cannot make changes on the customer site.

 

Maybe the issue starts earlier, as i cannot see any traffic on the tunnel:

Screenshot 2023-05-17 at 11.56.56.png

saneeshpv_FTNT

You may try to use Central NAT for such scenario which will separate NAT from Firewall rules. But this change has to be planned if you are already using NAT in the Firewall rules. 

gfleming

AFAIK route-based vs policy-based is a local construct on the FGT. It's just two different ways of configuring the IPSec tunnel. The remote side does not care what you are using. It's just typically a much easier way to manage and configure the IPSec tunnel on the FGT.

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors