Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
5q46n2te8jPWJY
Contributor

Created on ‎06-26-2024 07:06 AM

How to Remove NAT for IPSEC VPN on VDOM in Fortigate 7.4.4?

Hello,

 

I am a user of Fortigate 7.4.4. I have an architecture based on a root VDOM, where my WAN connections arrive, and then interconnection links with my child VDOMs (as shown in this diagram visible in the Fortigate documentation).

 

4b71aa7a1dc7259b927ed41ff8afe22f_Topology_Inter VDOM Routing Ex_Internet access_Updated-01 (1).png

 

My infrastructure is shared with a client. My client wants to set up an IPSEC VPN on their VDOM. I followed the configuration available here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-IPSec-VPN-tunnels-on-VDOMs-tha...

 

This configuration is based on a NAT on the root VDOM. My client does not want NAT. How can I completely remove NAT?

 

Thank you for your help.

Labels:
606
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-26-2024 08:25 AM Edited on ‎06-26-2024 08:42 AM

If you're hosting your customers with VDOMs, they/you don't want customers sharing the same public IPs. It might/would cause problems when they need to get security audits like PCI-DSS and PEN tests required for the certifications.
You need to get additional block of public subnet(s) from your internet circuit provider, then assign it to the Vlink/npu-vlink between root vdom and the customer vdoms in the diagram. The link subnet can be as small as /31 if you use p2p links and static routing but most ISPs provide like a /30, /29, /28 and above. You can split a /30 to two /31s and use them for two VDOMs if you want, like in the diagram.

Toshi

View solution in original post

582
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-26-2024 08:25 AM Edited on ‎06-26-2024 08:42 AM

If you're hosting your customers with VDOMs, they/you don't want customers sharing the same public IPs. It might/would cause problems when they need to get security audits like PCI-DSS and PEN tests required for the certifications.
You need to get additional block of public subnet(s) from your internet circuit provider, then assign it to the Vlink/npu-vlink between root vdom and the customer vdoms in the diagram. The link subnet can be as small as /31 if you use p2p links and static routing but most ISPs provide like a /30, /29, /28 and above. You can split a /30 to two /31s and use them for two VDOMs if you want, like in the diagram.

Toshi

583
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎06-26-2024 08:33 AM Edited on ‎06-26-2024 08:34 AM

I found my previous conversation with another poster for the same or similar issue.
https://community.fortinet.com/t5/Support-Forum/VDOM-configuration/m-p/320577#M243510

578
0 Kudos
fricci_FTNT
Staff
Staff

Created on ‎06-26-2024 08:27 AM

Hi @5q46n2te8jPWJY ,

 

I might have misunderstood your request. Assuming that not-NATed traffic is routed correctly and both ends can reach each other, you can just disable NAT on the related firewall policies:

config firewall policy
    edit xx
        set name "outgoing"
        set srcintf "VDOM-link0"
        set dstintf "wan1"
...
        set nat disable #<-----you can disable it from GUI as well
    end

 


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
581
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.