Fortigate 600E
Current: VPN Tunnel Phase1 is UP - Phase2 DOWN.
The catch here is that we need to NAT "something" I don't know how and what to NAT, because on the remote site the 10.220.0.0/16 subnet is already occupied. They suggested another subnet with 10.222.0.0/16. How can I do that?
The connection should be something like that:
Our LAN 10.220.0.0/16 -> Tunnel Interface -> Remote LAN 10.222.0.0/16 -> Remote Server
I don't know how I can configure this. Also I don't know what to use. Is it ippools or vip or something other?
I can not figure this out. Any advice?
Thanks for reading.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you mean you have an address overlap, both sides use the same network addressing and you cannot change your local addressing on your side, so you want to NAT your sources ?
This article could be interesting : https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...
Thanks... reading and trying now. I will write back.
Sorry, this is too hardcore for me. :(
FortiGate uses four types of IPv4 IP pools:
The type of IP pool depends of the need.
Do you have incoming flows from the remote side to your side or do you only need to reach some remote ressources like webservers, citrix, etc, through the VPN ?
I just need to reach a remote web server. I now configured it using an ippool with overload. External IP Range 10.222.0.1-10.222.0.50 (just guessed / typed in whatever range because they said we can use whole subnet of 10.222.0.0/16)
The remote web server uses another subnet like (example): 7.49.31.128/25
Can you make any sense of that or need I describe better?
Hey Dominikus,
correct me if I'm wrong - you have a local subnet of 10.220.0.0/16, and on the remote side the same subnet is also in use, right?
So, if you send traffic into the tunnel with a 10.220.x.x source IP, this will cause problems, because the remote side will confuse the traffic with its own subnet?
You will need to hide your 10.220.0.0/16 subnet behind NAT, such as the pool you've already implemented. So, now all traffic from your side will go into the tunnel with a 10.222.0.x source IP address (the pool could go 10.222.0.1-10.222.255.254, if you want to use it fully :).
Now you need to ensure the following is in place:
- the IPSec tunnel has phase2 selectors with 10.222.0.0/16 as local subnet, and the remote server as remote subnet
- your FortiGate has a route to the webserver through the IPSec tunnel
- the remote side has mirrored selectors (10.222.0.0/16 as remote, their web server subnet as local)
- the remote side has a route for 10.222.0.0/16 via IPSec tunnel
With that in place, the web server should become reachable.
Hope this helps :)
Created on 12-29-2021 06:57 AM Edited on 12-29-2021 07:01 AM
Thank you! That worked.
- Phase 2 local subnet set to 10.222.0.0/16 (before it was set to 10.220.0.0/16)
- ippool is overload with 10.222.0.1-10.222.255.254
- outgoing policy is with NAT enabled using the specified ippool
Thank you very much ! What a great answer.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1088 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.