- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Remove NAT for IPSEC VPN on VDOM in Fortigate 7.4.4?
Hello,
I am a user of Fortigate 7.4.4. I have an architecture based on a root VDOM, where my WAN connections arrive, and then interconnection links with my child VDOMs (as shown in this diagram visible in the Fortigate documentation).
My infrastructure is shared with a client. My client wants to set up an IPSEC VPN on their VDOM. I followed the configuration available here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-IPSec-VPN-tunnels-on-VDOMs-tha...
This configuration is based on a NAT on the root VDOM. My client does not want NAT. How can I completely remove NAT?
Thank you for your help.
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're hosting your customers with VDOMs, they/you don't want customers sharing the same public IPs. It might/would cause problems when they need to get security audits like PCI-DSS and PEN tests required for the certifications.
You need to get additional block of public subnet(s) from your internet circuit provider, then assign it to the Vlink/npu-vlink between root vdom and the customer vdoms in the diagram. The link subnet can be as small as /31 if you use p2p links and static routing but most ISPs provide like a /30, /29, /28 and above. You can split a /30 to two /31s and use them for two VDOMs if you want, like in the diagram.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're hosting your customers with VDOMs, they/you don't want customers sharing the same public IPs. It might/would cause problems when they need to get security audits like PCI-DSS and PEN tests required for the certifications.
You need to get additional block of public subnet(s) from your internet circuit provider, then assign it to the Vlink/npu-vlink between root vdom and the customer vdoms in the diagram. The link subnet can be as small as /31 if you use p2p links and static routing but most ISPs provide like a /30, /29, /28 and above. You can split a /30 to two /31s and use them for two VDOMs if you want, like in the diagram.
Toshi
Created on ‎06-26-2024 08:33 AM Edited on ‎06-26-2024 08:34 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found my previous conversation with another poster for the same or similar issue.
https://community.fortinet.com/t5/Support-Forum/VDOM-configuration/m-p/320577#M243510
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @5q46n2te8jPWJY ,
I might have misunderstood your request. Assuming that not-NATed traffic is routed correctly and both ends can reach each other, you can just disable NAT on the related firewall policies:
config firewall policy
edit xx
set name "outgoing"
set srcintf "VDOM-link0"
set dstintf "wan1"
...
set nat disable #<-----you can disable it from GUI as well
end
Best regards,
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
