Hi all,
I'm working on a case where I have to replace a current IPsec tunnel with Fortigate HW, where the traffic should be NAT'ed in both directions (i've addad a network drawing for clarification).
- I have simplified WAN IP addressing for my lab
- SITE B is managed by another company
- Traffic to SITE B is directed to the public IP address (DNAT by firewall B), and only accepted from public range on SITE A (SNAT by firewall A)
- Traffic from SITE B is delivered on the public IP address of SITE A and should be NAT'ed to internal (DNAT)
Example:
- 10.200.0.100 delivers a print job to 10.0.0.11, port 10000
- FortiGate in SITE A should DNAT the traffic to 10.100.0.200, port 9100
I am unable to get the DNAT into SITE A working. I've tried both Policy-based IPsec and Route-based IPsec.
- With Policy-based IPsec I am unable to select the IPsec tunnel on a policy with WAN as source and LAN as destination (IPsec selection list is empty), only the other way. I have referred to https://kb.fortinet.com/kb/documentLink.do?externalID=FD37522 scenario 2 , although the VIP should not be wan-wan in my case but wan-lan.
- With Route-based IPsec I can't get it done to pass the traffic to 10.0.0.11 and have the firewall take care of the VIP. I keep getting policy violations where the traffic is recognized as coming from WAN instead of the IPsec tunnel.
I was hoping that someone might help in this matter! Thanks in advance.
1st you can do DNAT/SNAT in a ipsec tunnel
[ul]
[ul]
[ul]
Hint: on phase2 when you do NAT make sure you allow the NAT'd address in the phase2 selectors and with route--vpn you have a route for the proper NAT'd address
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.