Hello all,
I am a Fortigate newb. The only documentation I can find on NAT over site to site IPSEC VPN pertains to versions before 5.6, and only to NATting entire subnets, on both ends.
I have a working IPSEC site to site VPN between my Fortigate (v.5.6) and a remote site (which is using a Cisco ASA.) I am trying to make ONE host behind the fortigate, 10.0.100.198, appear to the remote site as 192.168.114.6. Could someone tell me, precisely, what I'm supposed to do to make this happen? I have experimented with Virtual IPs and IP pools, but nothing seems to work. It's probably something simple that I'm missing. If it helps, in Cisco language, this is what I'm trying to accomplish:
object-group network external network-object host X.X.X.X object network internal host 10.0.100.198 object network translated_address host 192.168.114.6 (This is what I want the remote site to see 10.0.100.198 as) nat (inside,outside) 1 source static internal translated_address destination static external external
Thanks!
Update: I was able to NAT a private address to a static address assigned by my ISP, and hit the web server from outside, through the wan interface:
config firewall policy
edit 5
set name "Web Server"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Public VIP Group"
set action accept
set status disable
set schedule "always"
set service "ALL"
set logtraffic all
next end
config firewall vipgrp
edit "Public VIP Group"
set interface "port2"
set member "Public PC VIP"
next
end
config firewall vip
edit "Public PC VIP"
set extip 172.216.8.195
set extintf "port2"
set mappedip "10.0.100.198"
next end
I just can't figure out how to do this over a site to site IPSEC VPN, using a static IP of my choice (instead of one assigned by my ISP - 172.216.8.195.)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Okay let me clearified if this is a rt-base-vpn you need to apply the "SNAT" address in the vpn tunnel cfg
e.g
config vpn ipsec phase2 edit "YOURTUNNELNAMEHERE" set keylifeseconds 28000 set src-subnet 192.168.114.6/32 < the ippool address> set dst-subnet x.x.x.x./yy next end
PCNSE
NSE
StrongSwan
I got it to work. The problem was my VIP was set to "any" interface instead of the tunnel interface "COMPANY."
My next task was to allow another computer (on the Fortigate side) through the tunnel, without NATting it (but still NATting the other computer.)
So I added the un-NATted IP of the additional computer to the phase 2 selector.
Then I created two more rules (one inbound and one outbound, without any NAT) for the additional computer, on the VPN interface.
Either of the rule pairs will work as expected, if I disable the other two rules. But for some reason, if I enable all four rules at the same time, I get inconsistent ping replies across the tunnel. I am at a loss as to why. I can't find any documentation that explains how to do this.
I can't tell you how much I appreciate your help, emnoc. We are running a VM demo, and I'm trying to evaluate whether our company wants to switch our hardware to FortiGate from Cisco. I logged a support almost a week ago, (3/22) but the only response to the ticket I've gotten so far was a link to an IP pool document that I have already seen.
After a call with Fortinet support it was determined the problem was using named addresses in the phase 2 selector. For whatever reason, they would not work. I probably never would have figured this part out on my own, since it apparently was a problem with the software, not configuration. So if anyone else finds themselves in this predicament, try not using named addresses.
FYI:
In FortiOS, an ippool specifies source NAT, the source address will be replaced. A VIP does destination NAT, that is, the destination IP address is replaced.
- besides, a VIP is an active construct. The FGT will do proxy arp according to the setting in the VIP, it will respond on behalf of the host with the mapped-to address.
- only creating a VIP will influence how the FGT will react to traffic (as opposed to other configurations which - if not inserted in a policy - will not be noticeable). For proper usage, the VIP needs to be used in a policy as the destination address object.
- yes, best practice is to only use numeric addresses in phase2 of an IPsec VPN. Using name objects can have funny effects. But, AFAIR, some other 3rd party vendor demands the usage of named addresses in a VPN, or it won't work. There's always an exception to the rule.
If you are working on a Proof of Concept demo, you should get proper support by a local Fortinet SE. You don't need to reinvent the wheel. Contact your channel manager (if you are a FTNT partner) or your FTNT partner for this. A failed PoC can keep enterprises from looking at FTNT equipment for a long time, a successful one may mean another longtime customer. Still, I'm glad you've found your way to the forums (and that emnoc spends his Easter holidays here :)
I know this is a very old thread but I have the same requirement using 7.0. Could someone explain how I can accomplish the same using the GUI? I'm new to Fortigate and have not yet learned the intricacies of the CLI.
I know this is a very old thread but I have the same requirement using 7.0. Could someone explain how I can accomplish the same using the GUI? I'm new to Fortigate and have not yet learned the intricacies of the CLI.
I would say that you create a VIP with extinf set as any and create a firewall policy that uses the vip as a destination. You might not like it but then you would need to edit the VIP in CLI and do "set nat-source-vip enable"
Then your ipsec SAs would be the translated/external address for the the real server.
A diagram would actually help.
Hope this image make sense. Left side of diagram is our office. Right side is a remote client and I don't have details of their exact setup.
That should just be a VIP on the left fortigate. External address would be 50.50.2.50 and mapped address would be 192.168.2.50. In the firewall policy the Source interface is the ipsec tunnel and destination interface is the 192.168 interface. The VIP would be applied as the destination.
Then you would have a firewall policy from the left to the right allowing whatever traffic.
The SAs for the ipsec tunnel would use the 50.50 address instead of the 192.168
Thank you. I'll try this out when I'm back in the office next week.
Well, that is kind of the case. Right now on the Cisco ASA I have maybe 30-40 site-to-site tunnels to/from clients and maybe 5 of them are setup as a NAT on my end due to conflicting/overlapping subnets. I just want to know the best approach of getting this done on the Fortigate as I'm considering of migrating everything over to the fortigate. My network is pretty small, primarily just 8 VM servers and I setup my end as /32 while my client's end can be a subnet of /24 can may or may not overlap my subnet or they request I NAT so it doesn't conflict their end and with other client's/vendors they may have.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.