Hello,
I am a user of Fortigate 7.4.4. I have an architecture based on a root VDOM, where my WAN connections arrive, and then interconnection links with my child VDOMs (as shown in this diagram visible in the Fortigate documentation).
My infrastructure is shared with a client. My client wants to set up an IPSEC VPN on their VDOM. I followed the configuration available here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-IPSec-VPN-tunnels-on-VDOMs-tha...
This configuration is based on a NAT on the root VDOM. My client does not want NAT. How can I completely remove NAT?
Thank you for your help.
Solved! Go to Solution.
If you're hosting your customers with VDOMs, they/you don't want customers sharing the same public IPs. It might/would cause problems when they need to get security audits like PCI-DSS and PEN tests required for the certifications.
You need to get additional block of public subnet(s) from your internet circuit provider, then assign it to the Vlink/npu-vlink between root vdom and the customer vdoms in the diagram. The link subnet can be as small as /31 if you use p2p links and static routing but most ISPs provide like a /30, /29, /28 and above. You can split a /30 to two /31s and use them for two VDOMs if you want, like in the diagram.
Toshi
If you're hosting your customers with VDOMs, they/you don't want customers sharing the same public IPs. It might/would cause problems when they need to get security audits like PCI-DSS and PEN tests required for the certifications.
You need to get additional block of public subnet(s) from your internet circuit provider, then assign it to the Vlink/npu-vlink between root vdom and the customer vdoms in the diagram. The link subnet can be as small as /31 if you use p2p links and static routing but most ISPs provide like a /30, /29, /28 and above. You can split a /30 to two /31s and use them for two VDOMs if you want, like in the diagram.
Toshi
Created on 06-26-2024 08:33 AM Edited on 06-26-2024 08:34 AM
I found my previous conversation with another poster for the same or similar issue.
https://community.fortinet.com/t5/Support-Forum/VDOM-configuration/m-p/320577#M243510
Hi @5q46n2te8jPWJY ,
I might have misunderstood your request. Assuming that not-NATed traffic is routed correctly and both ends can reach each other, you can just disable NAT on the related firewall policies:
config firewall policy
edit xx
set name "outgoing"
set srcintf "VDOM-link0"
set dstintf "wan1"
...
set nat disable #<-----you can disable it from GUI as well
end
Best regards,
User | Count |
---|---|
2137 | |
1187 | |
770 | |
451 | |
347 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.