thanks for the screenshot, very useful :).
For NAT - create an IP from the 61f subnet, 10.2.10.0/24 (10.2.10.250-10.2.10.250 for example, just the one IP), and use that pool in the policy.
Regarding reserving an IP - if FortiGate serves as your DHCP server on the lan interface, just set the range to only go up to .249 for example, so that .250 can't be assigned. If you have an external DHCP server, make sure the IP you use for NAT here can't accidentally be given to a DHCP client.
Regarding the policy:
- question: as source you have sslvpn interface (correct) and LAN subnet. I wonder at the LAN subnet here. As source in sslvpn interface, you will usually want whatever IPs you use in the SSLVPN tunnel settings (by default SSLVPN_TUNNEL_ADDR address)
also - we were under the impression your setup was sslvpn -> 40F -> ipsec -> 61F, not sslvpn -> 61F -> ipsec -> 40F, our apologies. if your 61F is the bridge between sslvpn and IPsec, you will want to set up NAT with 61F lan IP.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++