- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- NAT a single IP address through Site to Site VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT a single IP address through Site to Site VPN
Hello all,
I am a Fortigate newb. The only documentation I can find on NAT over site to site IPSEC VPN pertains to versions before 5.6, and only to NATting entire subnets, on both ends.
I have a working IPSEC site to site VPN between my Fortigate (v.5.6) and a remote site (which is using a Cisco ASA.) I am trying to make ONE host behind the fortigate, 10.0.100.198, appear to the remote site as 192.168.114.6. Could someone tell me, precisely, what I'm supposed to do to make this happen? I have experimented with Virtual IPs and IP pools, but nothing seems to work. It's probably something simple that I'm missing. If it helps, in Cisco language, this is what I'm trying to accomplish:
object-group network external network-object host X.X.X.X object network internal host 10.0.100.198 object network translated_address host 192.168.114.6 (This is what I want the remote site to see 10.0.100.198 as) nat (inside,outside) 1 source static internal translated_address destination static external external
Thanks!
Update: I was able to NAT a private address to a static address assigned by my ISP, and hit the web server from outside, through the wan interface:
config firewall policy
edit 5
set name "Web Server"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Public VIP Group"
set action accept
set status disable
set schedule "always"
set service "ALL"
set logtraffic all
next end
config firewall vipgrp
edit "Public VIP Group"
set interface "port2"
set member "Public PC VIP"
next
end
config firewall vip
edit "Public PC VIP"
set extip 172.216.8.195
set extintf "port2"
set mappedip "10.0.100.198"
next end
I just can't figure out how to do this over a site to site IPSEC VPN, using a static IP of my choice (instead of one assigned by my ISP - 172.216.8.195.)
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay let me clearified if this is a rt-base-vpn you need to apply the "SNAT" address in the vpn tunnel cfg
e.g
config vpn ipsec phase2 edit "YOURTUNNELNAMEHERE" set keylifeseconds 28000 set src-subnet 192.168.114.6/32 < the ippool address> set dst-subnet x.x.x.x./yy next end
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
- « Previous
-
- 1
- 2
- Next »
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got it to work. The problem was my VIP was set to "any" interface instead of the tunnel interface "COMPANY."
My next task was to allow another computer (on the Fortigate side) through the tunnel, without NATting it (but still NATting the other computer.)
So I added the un-NATted IP of the additional computer to the phase 2 selector.
Then I created two more rules (one inbound and one outbound, without any NAT) for the additional computer, on the VPN interface.
Either of the rule pairs will work as expected, if I disable the other two rules. But for some reason, if I enable all four rules at the same time, I get inconsistent ping replies across the tunnel. I am at a loss as to why. I can't find any documentation that explains how to do this.
I can't tell you how much I appreciate your help, emnoc. We are running a VM demo, and I'm trying to evaluate whether our company wants to switch our hardware to FortiGate from Cisco. I logged a support almost a week ago, (3/22) but the only response to the ticket I've gotten so far was a link to an IP pool document that I have already seen.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After a call with Fortinet support it was determined the problem was using named addresses in the phase 2 selector. For whatever reason, they would not work. I probably never would have figured this part out on my own, since it apparently was a problem with the software, not configuration. So if anyone else finds themselves in this predicament, try not using named addresses.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI:
In FortiOS, an ippool specifies source NAT, the source address will be replaced. A VIP does destination NAT, that is, the destination IP address is replaced.
- besides, a VIP is an active construct. The FGT will do proxy arp according to the setting in the VIP, it will respond on behalf of the host with the mapped-to address.
- only creating a VIP will influence how the FGT will react to traffic (as opposed to other configurations which - if not inserted in a policy - will not be noticeable). For proper usage, the VIP needs to be used in a policy as the destination address object.
- yes, best practice is to only use numeric addresses in phase2 of an IPsec VPN. Using name objects can have funny effects. But, AFAIR, some other 3rd party vendor demands the usage of named addresses in a VPN, or it won't work. There's always an exception to the rule.
If you are working on a Proof of Concept demo, you should get proper support by a local Fortinet SE. You don't need to reinvent the wheel. Contact your channel manager (if you are a FTNT partner) or your FTNT partner for this. A failed PoC can keep enterprises from looking at FTNT equipment for a long time, a successful one may mean another longtime customer. Still, I'm glad you've found your way to the forums (and that emnoc spends his Easter holidays here :)
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a very old thread but I have the same requirement using 7.0. Could someone explain how I can accomplish the same using the GUI? I'm new to Fortigate and have not yet learned the intricacies of the CLI.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a very old thread but I have the same requirement using 7.0. Could someone explain how I can accomplish the same using the GUI? I'm new to Fortigate and have not yet learned the intricacies of the CLI.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would say that you create a VIP with extinf set as any and create a firewall policy that uses the vip as a destination. You might not like it but then you would need to edit the VIP in CLI and do "set nat-source-vip enable"
Then your ipsec SAs would be the translated/external address for the the real server.
A diagram would actually help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hope this image make sense. Left side of diagram is our office. Right side is a remote client and I don't have details of their exact setup.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That should just be a VIP on the left fortigate. External address would be 50.50.2.50 and mapped address would be 192.168.2.50. In the firewall policy the Source interface is the ipsec tunnel and destination interface is the 192.168 interface. The VIP would be applied as the destination.
Then you would have a firewall policy from the left to the right allowing whatever traffic.
The SAs for the ipsec tunnel would use the 50.50 address instead of the 192.168
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I'll try this out when I'm back in the office next week.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, that is kind of the case. Right now on the Cisco ASA I have maybe 30-40 site-to-site tunnels to/from clients and maybe 5 of them are setup as a NAT on my end due to conflicting/overlapping subnets. I just want to know the best approach of getting this done on the Fortigate as I'm considering of migrating everything over to the fortigate. My network is pretty small, primarily just 8 VM servers and I setup my end as /32 while my client's end can be a subnet of /24 can may or may not overlap my subnet or they request I NAT so it doesn't conflict their end and with other client's/vendors they may have.
https://19216801.onl/ https://routerlogin.uno/
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Block country but allow specific IP... 89 Views
- Firewall policy per AD user 105 Views
- Fixing IP overlap using virtual IPs 98 Views
- Transparent VLAN between Fortigate port and... 146 Views
- Routing issues - instead of inter... 302 Views
Labels
-
FortiGate
7,188 -
FortiClient
1,419 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
458 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
116 -
IPsec
110 -
SSL-VPN
109 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
LDAP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
SSL SSH inspection
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
System settings
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1077 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.