Dear Concern,
I need to configure an IPsec VPN between two FortiGate, in which the traffic coming from SITE-B should be NATed only. That means when I configure the IPv4 policy on SITE-B, I should enable NAT in the policy and define an IP Pool so that the traffic from SITE-B is NATed and reaches SITE-A. I need to do this configuration because there is a server located at SITE-A, and I only want to give access to this server to users at SITE-B. The reason for enabling NAT is that SITE-B is using a subnet that is also being used by SITE-C, and I want to avoid any conflicts.
Can anyone to helpme for this configuration.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Firewall policy should be like this:
Site B:
LAN_TO_Server
Incoming Interface : LAN
Outgoing Interface : Tunnel
Source : LAN Subnet
Destination : Server Subnet
Service : ALL
NAT : Enable
Use Dynamic IP Pool : IP POOL for Site B
Server_TO_LAN
Incoming Interface : Tunnel
Outgoing Interface : LAN
Source : Server Subnet
Destination : VIP (IP Pool subnet to Real Subnet)
Service : ALL
NAT : Disable
Site A:
SiteB_TO_Server
Incoming Interface : Tunnel
Outgoing Interface : Server
Source : Site B Subnet (IP Pool subnet)
Destination : Server Subnet
Service : ALL
NAT : Disable
Server to SiteB
Incoming Interface : LAN
Outgoing Interface : Tunnel
Source : Server Subnet
Destination : Site B Subnet (IP Pool subnet)
Service : ALL
NAT : Disable
Note that phase2 should include the New Subnet (VIP and IP Pool) on both Site A and Site B.
Route should be present on Site A for IP Pool pointing to the tunnel.
You may follow below guide but only configure IP Pool and VIP on Site B.
Site A can be configured as is (normal deployment) as the subnet is not in conflict in it.
If you need to have connection from Site B and Site C, you need the full deployment of below guide.
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/426761/site-to-site-vpn-with...
Dear Concern,
Thank you for sharing the link. I have already checked this link and configured it accordingly, but the users at SITE-B are still unable to ping the server at SITE-A. They are getting a Request-Time-Out.
In the inbound IPv4 policy on SITE-B, I have set the source interface as Tunnel and the destination interface as LAN. For the source address, I have specified the IP address of the SITE-A server that SITE-B users need access to. In the destination, I have defined a Virtual IP with the external IP address as SITE-B's NATed pool and the internal as the user's pool.
In the outbound IPv4 policy, I have configured the incoming interface as LAN and the outgoing interface as Tunnel. The source address is SITE-B's local network, and the destination address is the SITE-A server IP. Then, I enabled NAT, selected the dynamic pool, and chose the VIP with the internal LAN user's pool and the external as SITE-B's NATed pool.
Is this configuration correct, or is there any mistake? I hope this explanation helps in understanding the issue.
Firewall policy should be like this:
Site B:
LAN_TO_Server
Incoming Interface : LAN
Outgoing Interface : Tunnel
Source : LAN Subnet
Destination : Server Subnet
Service : ALL
NAT : Enable
Use Dynamic IP Pool : IP POOL for Site B
Server_TO_LAN
Incoming Interface : Tunnel
Outgoing Interface : LAN
Source : Server Subnet
Destination : VIP (IP Pool subnet to Real Subnet)
Service : ALL
NAT : Disable
Site A:
SiteB_TO_Server
Incoming Interface : Tunnel
Outgoing Interface : Server
Source : Site B Subnet (IP Pool subnet)
Destination : Server Subnet
Service : ALL
NAT : Disable
Server to SiteB
Incoming Interface : LAN
Outgoing Interface : Tunnel
Source : Server Subnet
Destination : Site B Subnet (IP Pool subnet)
Service : ALL
NAT : Disable
Note that phase2 should include the New Subnet (VIP and IP Pool) on both Site A and Site B.
Route should be present on Site A for IP Pool pointing to the tunnel.
Noted. I will verify my configuration according to what you have shared.
I have checked. My configuration is same as you shared and the server is accessible from SITE-B. Can I also NAT the second user subnet to the same NATed pool, and if so, how?
Great.
As for the second user subnet at Site-B, I do not recommend using the same IP Pool. I suggest to use separate/new IP Pool.
In addition, if this second subnet do not have conflict with other site, I recommend configuring it as it is and not with VIP / IP Pool.
Thanks for your suggestion. Let me try as well with different NAT Pool for another User Subnet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.