Hi all,

I'm working on a case where I have to replace a current IPsec tunnel with Fortigate HW, where the traffic should be NAT'ed in both directions (i've addad a network drawing for clarification).

- I have simplified WAN IP addressing for my lab

- SITE B is managed by another company

- Traffic to SITE B is directed to the public IP address (DNAT by firewall B), and only accepted from public range on SITE A (SNAT by firewall A)

- Traffic from SITE B is delivered on the public IP address of SITE A and should be NAT'ed to internal (DNAT)

Example:

- 10.200.0.100 delivers a print job to 10.0.0.11, port 10000

- FortiGate in SITE A should DNAT the traffic to 10.100.0.200, port 9100

I am unable to get the DNAT into SITE A working. I've tried both Policy-based IPsec and Route-based IPsec.

- With Policy-based IPsec I am unable to select the IPsec tunnel on a policy with WAN as source and LAN as destination (IPsec selection list is empty), only the other way. I have referred to https://kb.fortinet.com/kb/documentLink.do?externalID=FD37522 scenario 2 , although the VIP should not be wan-wan in my case but wan-lan.

- With Route-based IPsec I can't get it done to pass the traffic to 10.0.0.11 and have the firewall take care of the VIP. I keep getting policy violations where the traffic is recognized as coming from WAN instead of the IPsec tunnel.

I was hoping that someone might help in this matter! Thanks in advance.