- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate VPN with overlapping subnets - Remote site Internet Access over VPN
I have followed the guide to setup a site to site VPN with overlapping subnets but I need to get the Branch sites internet traffic to route back over the VPN between FortiGate's but then go out of another router on that network.
Can anyone help me get this working as I cannot get the branch office Internet to work.
This is the guide I followed https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/426761/site-to-site-vpn-with...
This is the configuration I have
Site 1 - HQ
WAN Router - 192.168.0.1
LAN -192.168.0.0/24
WAN router has static route to point traffic for 10.2.2.0/24 to 192.168.0.11
Fortigate 80F - Connected via WAN 1 - to LAN above IP'd 192.168.0.11
WAN2 IP'd- 192.168.1.129/25 and connected to layer 2 link to Branch site
SNAT setup to convert 192.168.0.0/24 to 10.1.1.0/24
Site 2 - Branch
Fortigate 30G
LAN - 192.168.0.0/24
SNAT Virtual Subnet - 10.2.2.0/24
WAN IP'd- 192.168.1.131/25 and connected to layer 2 link to HQ site
Testing
HQ Fortigate 80F can access internet via HQ WAN Router
Users on HQ LAN can access internet via HQ WAN router
Users on HQ LAN can access devices on Branch LAN via 10.2.2.x IP address
Users on Branch LAN can access devices on HQ LAN
Users on Branch LAN can reach the HQ WAN Router on 192.168.0.1
Users on Branch LAN cannot reach anything external e.g 8.8.8.8
- Labels:
-
FortiGate
-
NAT
-
Static route
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if I get this correct, you would like the users in Branch ( real net 192.168.0.0 /24 , NAT'ed to 10.2.2.0/24 ) to access the Internet via HQ ?
If so, you would need
- a default route towards HQ from Branch ( in Branch : 0.0.0.0/0 with next-hop 192.168.1.129 and in HQ a route back to 10.2.2.0/24 next-hop 192.168.1.131 )
- a firewall rule that NATs the traffic from local ( Branch ) to remote ( HQ ) into 10.2.2.0/24 IP Pool
- in HQ a firewall rule from 10.2.2.0/24 network , src interface VPN-Branch and destination interface WAN and destination address all with NAT enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks got it working now. I had the firewall policy set to remote original subnet to HQ virtual with NAT I changed this to remote original to all and its working now.
