Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mirza_Asad2723
New Contributor II

Created on ‎08-04-2024 11:19 PM

IPsec VPN configuration by enabling NAT in IPV4 Policy only SITE-B between two fortigate

Dear Concern,

 

I need to configure an IPsec VPN between two FortiGate, in which the traffic coming from SITE-B should be NATed only. That means when I configure the IPv4 policy on SITE-B, I should enable NAT in the policy and define an IP Pool so that the traffic from SITE-B is NATed and reaches SITE-A. I need to do this configuration because there is a server located at SITE-A, and I only want to give access to this server to users at SITE-B. The reason for enabling NAT is that SITE-B is using a subnet that is also being used by SITE-C, and I want to avoid any conflicts.

 

Can anyone to helpme for this configuration.

Labels:
1240
0 Kudos
1 Solution
adimailig
Staff
Staff

Created on ‎08-05-2024 01:51 AM

Firewall policy should be like this:

Site B:

LAN_TO_Server
Incoming Interface : LAN
Outgoing Interface : Tunnel
Source : LAN Subnet
Destination : Server Subnet
Service : ALL
NAT : Enable
Use Dynamic IP Pool : IP POOL for Site B

Server_TO_LAN
Incoming Interface : Tunnel
Outgoing Interface : LAN
Source : Server Subnet
Destination : VIP (IP Pool subnet to Real Subnet)
Service : ALL
NAT : Disable

Site A:

SiteB_TO_Server
Incoming Interface : Tunnel
Outgoing Interface : Server
Source : Site B Subnet (IP Pool subnet)
Destination : Server Subnet
Service : ALL
NAT : Disable

Server to SiteB
Incoming Interface : LAN
Outgoing Interface : Tunnel
Source : Server Subnet
Destination : Site B Subnet (IP Pool subnet)
Service : ALL
NAT : Disable


Note that phase2 should include the New Subnet (VIP and IP Pool) on both Site A and Site B.
Route should be present on Site A for IP Pool pointing to the tunnel.

Best Regards,

Arnold Dimailig
TAC Engineer

View solution in original post

1177
7 REPLIES 7
adimailig
Staff
Staff

Created on ‎08-05-2024 12:11 AM

You may follow below guide but only configure IP Pool and VIP on Site B.
Site A can be configured as is (normal deployment) as the subnet is not in conflict in it.
If you need to have connection from Site B and Site C, you need the full deployment of below guide.

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/426761/site-to-site-vpn-with...


Best Regards,

Arnold Dimailig
TAC Engineer
1224
Mirza_Asad2723
New Contributor II

Created on ‎08-05-2024 12:33 AM Edited on ‎08-05-2024 12:34 AM

Dear Concern,

 

Thank you for sharing the link. I have already checked this link and configured it accordingly, but the users at SITE-B are still unable to ping the server at SITE-A. They are getting a Request-Time-Out.

In the inbound IPv4 policy on SITE-B, I have set the source interface as Tunnel and the destination interface as LAN. For the source address, I have specified the IP address of the SITE-A server that SITE-B users need access to. In the destination, I have defined a Virtual IP with the external IP address as SITE-B's NATed pool and the internal as the user's pool.

In the outbound IPv4 policy, I have configured the incoming interface as LAN and the outgoing interface as Tunnel. The source address is SITE-B's local network, and the destination address is the SITE-A server IP. Then, I enabled NAT, selected the dynamic pool, and chose the VIP with the internal LAN user's pool and the external as SITE-B's NATed pool.

Is this configuration correct, or is there any mistake? I hope this explanation helps in understanding the issue.

1218
0 Kudos
adimailig
Staff
Staff

Created on ‎08-05-2024 01:51 AM

Firewall policy should be like this:

Site B:

LAN_TO_Server
Incoming Interface : LAN
Outgoing Interface : Tunnel
Source : LAN Subnet
Destination : Server Subnet
Service : ALL
NAT : Enable
Use Dynamic IP Pool : IP POOL for Site B

Server_TO_LAN
Incoming Interface : Tunnel
Outgoing Interface : LAN
Source : Server Subnet
Destination : VIP (IP Pool subnet to Real Subnet)
Service : ALL
NAT : Disable

Site A:

SiteB_TO_Server
Incoming Interface : Tunnel
Outgoing Interface : Server
Source : Site B Subnet (IP Pool subnet)
Destination : Server Subnet
Service : ALL
NAT : Disable

Server to SiteB
Incoming Interface : LAN
Outgoing Interface : Tunnel
Source : Server Subnet
Destination : Site B Subnet (IP Pool subnet)
Service : ALL
NAT : Disable


Note that phase2 should include the New Subnet (VIP and IP Pool) on both Site A and Site B.
Route should be present on Site A for IP Pool pointing to the tunnel.

Best Regards,

Arnold Dimailig
TAC Engineer
1178
Mirza_Asad2723
New Contributor II

Created on ‎08-05-2024 03:01 AM

Noted. I will verify my configuration according to what you have shared.

1164
0 Kudos
Mirza_Asad2723
New Contributor II

Created on ‎08-06-2024 04:15 AM

@adimailig 

 

I have checked. My configuration is same as you shared and the server is accessible from SITE-B. Can I also NAT the second user subnet to the same NATed pool, and if so, how?

1098
0 Kudos
adimailig
Staff
Staff
In response to Mirza_Asad2723

Created on ‎08-07-2024 12:32 AM

Great.
As for the second user subnet at Site-B, I do not recommend using the same IP Pool. I suggest to use separate/new IP Pool.
In addition, if this second subnet do not have conflict with other site, I recommend configuring it as it is and not with VIP / IP Pool.

Best Regards,

Arnold Dimailig
TAC Engineer
1068
Mirza_Asad2723
New Contributor II
In response to adimailig

Created on ‎08-07-2024 01:56 AM

@adimailig 

 

Thanks for your suggestion. Let me try as well with different NAT Pool for another User Subnet.

 

 

1055
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.