I'm working on a case where I have to replace a current IPsec tunnel with Fortigate HW, where the traffic should be NAT'ed in both directions (i've addad a network drawing for clarification).
- I have simplified WAN IP addressing for my lab
- SITE B is managed by another company
- Traffic to SITE B is directed to the public IP address (DNAT by firewall B), and only accepted from public range on SITE A (SNAT by firewall A)
- Traffic from SITE B is delivered on the public IP address of SITE A and should be NAT'ed to internal (DNAT)
- 10.200.0.100 delivers a print job to 10.0.0.11, port 10000
- FortiGate in SITE A should DNAT the traffic to 10.100.0.200, port 9100
I am unable to get the DNAT into SITE A working. I've tried both Policy-based IPsec and Route-based IPsec.
- With Policy-based IPsec I am unable to select the IPsec tunnel on a policy with WAN as source and LAN as destination (IPsec selection list is empty), only the other way. I have referred to https://kb.fortinet.com/kb/documentLink.do?externalID=FD37522 scenario 2 , although the VIP should not be wan-wan in my case but wan-lan.
- With Route-based IPsec I can't get it done to pass the traffic to 10.0.0.11 and have the firewall take care of the VIP. I keep getting policy violations where the traffic is recognized as coming from WAN instead of the IPsec tunnel.
I was hoping that someone might help in this matter! Thanks in advance.