Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

I wish to get help to setup a VPN with specific NAT requirements

Fortigate 600E


Current: VPN Tunnel Phase1 is UP - Phase2 DOWN.


The catch here is that we need to NAT "something" I don't know how and what to NAT, because on the remote site the subnet is already occupied. They suggested another subnet with How can I do that?


The connection should be something like that:


Our LAN -> Tunnel Interface -> Remote LAN -> Remote Server


I don't know how I can configure this. Also I don't know what to use. Is it ippools or vip or something other?

I can not figure this out. Any advice?


Thanks for reading.

New Contributor III

Do you mean you have an address overlap, both sides use the same network addressing and you cannot change your local addressing on your side, so you want to NAT your sources ?

This article could be interesting :



Thanks... reading and trying now. I will write back.

New Contributor

Sorry, this is too hardcore for me.   :(

New Contributor III

FortiGate uses four types of IPv4 IP pools:

  • Overload
  • One-to-one
  • Fixed port range
  • Port block allocation

The type of IP pool depends of the need.

Do you have incoming flows from the remote side to your side or do you only need to reach some remote ressources like webservers, citrix, etc, through the VPN ?



I just need to reach a remote web server. I now configured it using an ippool with overload. External IP Range (just guessed / typed in whatever range because they said we can use whole subnet of


The remote web server uses another subnet like (example):


Can you make any sense of that or need I describe better?


Hey Dominikus,

correct me if I'm wrong - you have a local subnet of, and on the remote side the same subnet is also in use, right?
So, if you send traffic into the tunnel with a 10.220.x.x source IP, this will cause problems, because the remote side will confuse the traffic with its own subnet?
You will need to hide your subnet behind NAT, such as the pool you've already implemented. So, now all traffic from your side will go into the tunnel with a 10.222.0.x source IP address (the pool could go, if you want to use it fully :).

Now you need to ensure the following is in place:
- the IPSec tunnel has phase2 selectors with as local subnet, and the remote server as remote subnet
- your FortiGate has a route to the webserver through the IPSec tunnel
- the remote side has mirrored selectors ( as remote, their web server subnet as local)
- the remote side has a route for via IPSec tunnel
With that in place, the web server should become reachable.
Hope this helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Thank you! That worked.


- Phase 2 local subnet set to (before it was set to

- ippool is overload with

- outgoing policy is with NAT enabled using the specified ippool


Thank you very much ! What a great answer.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors