Hi all,
I'm after a bit of help with regards to NAT, specifically allowing access to an internal server my end from over a VPN. Here's the scenario:
I have a client whose network I access via a VPN, and due to clashing address ranges I use source and destination NAT. I can connect to the client network fine and access their internal devices. I'm having trouble though giving them access to specific devices on my network. I'm using a 300E VDOM for this.
My network is 192.168.2.0/24, with LAN interface 192.168.2.24. I source NAT overload this to 172.16.0.1.
The client uses 192.168.2.0/24 internally, which I use a destination 1:1 NAT of 10.11.1.0/24 to address. The VPN is configured to allow 172.16.0.0/28 to 192.168.2.0/24. This all works fine, I can RDP to the client devices etc.
Now I'm trying to allow the client to access a server on my network. I want to set up a NAT to point 172.16.0.2 to my internal server 192.168.2.73, but I just can't get this to work. I'm thinking that as the firewall doesn't actually have an interface in the 172.16.0.0/28 subnet that this is the issue. To this end I've tried setting up a loopback interface in this subnet but still can't get the NAT to work. I came across this KB article https://kb.fortinet.com/kb/documentLink.do?externalID=FD39824 which sounded good but I can't get it talking right. My NAT would also need to source-NAT the traffic from the client to possibly the 10.11.1.0/24 range so that my server can route back to it.
Any ideas? Happy to share config and any other details required. I'm coming from a Cisco ASA background which is being replaced with the Fortigate, so still learning my way around.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
That KB is a doozy. [&:] It doesn't seem like it would work based on my experience but I guess I haven't done exactly that.
All my VIPs live in a subnet that doesn't exist on my firewall either, but as long as the mapped IP's network exists, you should be fine. The question is does the other end have a route TO your VIP?
The way you described the VPN sounds a little odd and could be the source of the issue. I'd be happy to look at the config and try to help. FortiGates definitely work a lot different than Cisco ASA, so I feel your pain. Once you "get it" though, the FortiGate is amazing!
Thanks lobstercreed. I'm loving the Fortigate, much better than the ASA I just need to figure out how it handles all the NAT! Going from a one-liner that does both source and destination NAT to the IP Pools, virtual IPs and policies is challenging me certainly.
The VPN is up and working fine and the remote end does have a route in place back to my VIP subnet 172.16.0.0/28. I've ditched the loopback but still no joy - I can post the config if you let me know which bits are pertinent or I can just post the whole lot. I'm still learning the cli.
The other thing I've noticed is that the IPv4 policies and the IPSEC monitor show no bytes hitting the policies or VPNs, but they are definitely passing traffic as I can get a successful RDP session to a server on the remote site.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.