Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IT-Dominikus
New Contributor

I wish to get help to setup a VPN with specific NAT requirements

Fortigate 600E

 

Current: VPN Tunnel Phase1 is UP - Phase2 DOWN.

 

The catch here is that we need to NAT "something" I don't know how and what to NAT, because on the remote site the 10.220.0.0/16 subnet is already occupied. They suggested another subnet with 10.222.0.0/16. How can I do that?

 

The connection should be something like that:

 

Our LAN 10.220.0.0/16 -> Tunnel Interface -> Remote LAN 10.222.0.0/16 -> Remote Server

 

I don't know how I can configure this. Also I don't know what to use. Is it ippools or vip or something other?

I can not figure this out. Any advice?

 

Thanks for reading.

7 REPLIES 7
mariopugliese
New Contributor III

Do you mean you have an address overlap, both sides use the same network addressing and you cannot change your local addressing on your side, so you want to NAT your sources ?

This article could be interesting : https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...

 

IT-Dominikus

Thanks... reading and trying now. I will write back.

IT-Dominikus
New Contributor

Sorry, this is too hardcore for me.   :(

mariopugliese
New Contributor III

FortiGate uses four types of IPv4 IP pools:

  • Overload
  • One-to-one
  • Fixed port range
  • Port block allocation

The type of IP pool depends of the need.

Do you have incoming flows from the remote side to your side or do you only need to reach some remote ressources like webservers, citrix, etc, through the VPN ?

 

IT-Dominikus

I just need to reach a remote web server. I now configured it using an ippool with overload. External IP Range 10.222.0.1-10.222.0.50 (just guessed / typed in whatever range because they said we can use whole subnet of 10.222.0.0/16)

 

The remote web server uses another subnet like (example): 7.49.31.128/25

 

Can you make any sense of that or need I describe better?

Debbie_FTNT
Staff
Staff

Hey Dominikus,

correct me if I'm wrong - you have a local subnet of 10.220.0.0/16, and on the remote side the same subnet is also in use, right?
So, if you send traffic into the tunnel with a 10.220.x.x source IP, this will cause problems, because the remote side will confuse the traffic with its own subnet?
You will need to hide your 10.220.0.0/16 subnet behind NAT, such as the pool you've already implemented. So, now all traffic from your side will go into the tunnel with a 10.222.0.x source IP address (the pool could go 10.222.0.1-10.222.255.254, if you want to use it fully :).

Now you need to ensure the following is in place:
- the IPSec tunnel has phase2 selectors with 10.222.0.0/16 as local subnet, and the remote server as remote subnet
- your FortiGate has a route to the webserver through the IPSec tunnel
- the remote side has mirrored selectors (10.222.0.0/16 as remote, their web server subnet as local)
- the remote side has a route for 10.222.0.0/16 via IPSec tunnel
With that in place, the web server should become reachable.
Hope this helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
IT-Dominikus

Thank you! That worked.

 

- Phase 2 local subnet set to 10.222.0.0/16 (before it was set to 10.220.0.0/16)

- ippool is overload with 10.222.0.1-10.222.255.254

- outgoing policy is with NAT enabled using the specified ippool

 

Thank you very much ! What a great answer.

Top Kudoed Authors