- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- I wish to get help to setup a VPN with specific NA...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wish to get help to setup a VPN with specific NAT requirements
Fortigate 600E
Current: VPN Tunnel Phase1 is UP - Phase2 DOWN.
The catch here is that we need to NAT "something" I don't know how and what to NAT, because on the remote site the 10.220.0.0/16 subnet is already occupied. They suggested another subnet with 10.222.0.0/16. How can I do that?
The connection should be something like that:
Our LAN 10.220.0.0/16 -> Tunnel Interface -> Remote LAN 10.222.0.0/16 -> Remote Server
I don't know how I can configure this. Also I don't know what to use. Is it ippools or vip or something other?
I can not figure this out. Any advice?
Thanks for reading.
Labels:
- Labels:
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you mean you have an address overlap, both sides use the same network addressing and you cannot change your local addressing on your side, so you want to NAT your sources ?
This article could be interesting : https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks... reading and trying now. I will write back.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, this is too hardcore for me. :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate uses four types of IPv4 IP pools:
- Overload
- One-to-one
- Fixed port range
- Port block allocation
The type of IP pool depends of the need.
Do you have incoming flows from the remote side to your side or do you only need to reach some remote ressources like webservers, citrix, etc, through the VPN ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just need to reach a remote web server. I now configured it using an ippool with overload. External IP Range 10.222.0.1-10.222.0.50 (just guessed / typed in whatever range because they said we can use whole subnet of 10.222.0.0/16)
The remote web server uses another subnet like (example): 7.49.31.128/25
Can you make any sense of that or need I describe better?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Dominikus,
correct me if I'm wrong - you have a local subnet of 10.220.0.0/16, and on the remote side the same subnet is also in use, right?
So, if you send traffic into the tunnel with a 10.220.x.x source IP, this will cause problems, because the remote side will confuse the traffic with its own subnet?
You will need to hide your 10.220.0.0/16 subnet behind NAT, such as the pool you've already implemented. So, now all traffic from your side will go into the tunnel with a 10.222.0.x source IP address (the pool could go 10.222.0.1-10.222.255.254, if you want to use it fully :).
Now you need to ensure the following is in place:
- the IPSec tunnel has phase2 selectors with 10.222.0.0/16 as local subnet, and the remote server as remote subnet
- your FortiGate has a route to the webserver through the IPSec tunnel
- the remote side has mirrored selectors (10.222.0.0/16 as remote, their web server subnet as local)
- the remote side has a route for 10.222.0.0/16 via IPSec tunnel
With that in place, the web server should become reachable.
Hope this helps :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Created on 12-29-2021 06:57 AM Edited on 12-29-2021 07:01 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! That worked.
- Phase 2 local subnet set to 10.222.0.0/16 (before it was set to 10.220.0.0/16)
- ippool is overload with 10.222.0.1-10.222.255.254
- outgoing policy is with NAT enabled using the specified ippool
Thank you very much ! What a great answer.
Related Posts
- How to Migrate VLANs to Virtual... 283 Views
- Discontinuation of FCNSP ERC codes for... 180 Views
- Priority between policy and virtual IP... 301 Views
- Fortimanager, API 184 Views
- Incorrect Router Announcement with Prefix Delegation 369 Views
Labels
-
FortiGate
6,536 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.