IPSEC VPN (IKEv2)
FortiGate to Cisco – VPN is established
Remote gateway address: 45.52.8.249
Local subnet: 10.128.131.96/27
Remote subnet: 205.73.208.48/29
Local subnet address: 10.128.131.96/27 needs to access resources on subnet 192.168.100.1/24
This was done via NAT in Cisco ASA, new config is FortiGate 200F – Need to configure NAT.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
General NAT troubleshooting
Collapse all
Step 1: Turn on UPnP to refresh your NAT table
UPnP is a standard that helps routers communicate effectively. If your router or gateway supports UPnP, it’s likely turned on by default.
In some scenarios, you may be able to resolve connectivity issues by refreshing the Network Address Translation (NAT) table. To refresh the NAT table on a router where UPnP is already enabled, you need to disable UPnP, save your changes, and then power cycle your router. After that, you’ll need to turn UPnP back on and save your changes.
Important Don’t combine port forwarding, UPnP, and perimeter network (also known as DMZ) settings. If you previously enabled perimeter network functionality on your router, you must disable the perimeter network before you try this procedure.
Follow these steps to turn UPnP off and on:
Log in to your router's web-based configuration page to and make sure UPnP is turned on. Refer to your router's documentation or support website for help turning UPnP on for the first time, or off and then back on. Make sure that the router is restarted each time you update any router settings. If the router doesn’t restart automatically, restart it manually.
Turn the UPnP setting off, and then save your changes.
Restart your console from a full shut-down and restart all network hardware (your modem and router). Removing the mains leads, waiting 10-20 seconds and plugging the mains leads back in is the best way to ensure a full power cycle.
Log in to your router's web-based configuration page to and make sure UPnP is turned off.
Turn the UPnP setting back on, and then save your changes again. If there’s another setting labelled Zero Config, ensure that this setting is also turned on.
Restart all network hardware (your modem and router).
After resetting your router, check your NAT type again (Profile & system > Settings > General > Network settings > Test NAT type). If you don’t get any errors and your NAT Type is Open, you’re done!
If you are still getting NAT errors, or if you have a Moderate or Strict NAT type, continue to the next step.
Step 2: Check to see if your firmware needs to be upgraded
Routers, both wired and wireless, contain embedded software called firmware. Router manufacturers often provide updates that improve performance, stability, security, and connectivity. Updating router firmware can resolve issues with slow performance or dropped connections.
You can download these firmware updates and install them yourself. Your computer needs to be directly connected to the router using an Ethernet cable so you can upload the new firmware file directly to the router.
Consult your device documentation or the manufacturer’s website to learn how to configure and update your specific network hardware.
After updating your router’s firmware, check your NAT type again (Profile & system > Settings > General > Network settings > Test NAT type). If you don’t get any errors and your NAT Type is Open, you’re done!
If you are still getting NAT errors, or if you have a Moderate or Strict NAT type, continue to the next step.
Step 3: Do you have multiple Xbox consoles?
If you only have one Xbox console, see:
Advanced NAT troubleshooting (single console)
If you have multiple Xbox consoles, see:
Advanced NAT troubleshooting (multiple consoles)
This may help you,
Rachel Gomez
Hello,
If NAT is done on ASA from 192.168.100.1/24 > X.X.X.X/24, then 192.168.100.1/24 should be configured as selectors. Or at least on FortiGate, if you do SNAT/DNAT for the traffic that will enter the tunnel, the translated subnets needs to be selectors.
I tried to add another selector, no luck.
here is what it looks like
Created on 10-21-2022 12:04 PM Edited on 10-21-2022 12:05 PM
You originally stated the "remote IP" was 45.52.8.249. So the IPSec is terminated at that IP on the wan side interface. Where is 205.73.208.48/29 is configured on the remote end? That's not an IP but a subnet. I'm assuming it's on another interface/LAN side.
I now think you have two subnets, or even more, on the remote ends that you need to reach over the tunnel. 205.73.208.48/29 and 192.168.100.0/24, and even other 192.168.x.0/24s. You need to have each selectors like 10.128.131.96/27<->205.73.208.48/29, 10.128.131.96/27<->192.168.100.0/24, and so on.
In addition, more importantly, you need to have routes for those remote subnets toward the tunnel interface. Otherwise it would never be routed into the tunnel.
Toshi
205.73.208.48/29 is the remote subnet of the partner, my mistake 45.52.8.249 is the peer address. I am missing the routes as I have the selectors setup as you show above
On the Fortigate:
Remote gateway address: 45.52.8.249 = this is public address of the internet interface on the ASA.
Local subnet: 10.128.131.96/27 = this is the subnet that the tunnel sees as local, if you are doing any SNAT that happens BEFORE it gets to the tunnel, so the tunnel is expecting the results of the SNAT not the real source.
Remote subnet: 205.73.208.48/29 = this is the subnet inside the renote site, I would expect this to be a private IP, If the other end is doing any DNAT that happens outside the tunnel so the tunnel is expecting to sees the IPs on the packets as you are sending them.
If it helps, think of the connection as made up of 5 parts, each only aware of what is coming into and out of itself, and not what the other parts do with the traffic.
The part Routing-Rules-Tunnel-Rules-Routing
Routing only sees what the client is sending and points the traffic to the interface based on that.
Rules allow traffic and apply NAT (source or destination).
Tunnel only sees the results of the rules, what the IPs were before passing through the Rules is irrelevant, all that matters is what the source and destination is after the Rules.
And of course Routing on the other side only sees what comes out of any Rues on that end.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.