Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
botsergeant
New Contributor

NAT a single IP address through Site to Site VPN

Hello all,

 

I am a Fortigate newb.  The only documentation I can find on NAT over site to site IPSEC VPN pertains to versions before 5.6, and only to NATting entire subnets, on both ends. 

 

I have a working IPSEC site to site VPN between my Fortigate (v.5.6) and a remote site (which is using a Cisco ASA.)  I am trying to make ONE host behind the fortigate, 10.0.100.198, appear to the remote site as 192.168.114.6.  Could someone tell me, precisely, what I'm supposed to do to make this happen?  I have experimented with Virtual IPs and IP pools, but nothing seems to work.  It's probably something simple that I'm missing.  If it helps, in Cisco language, this is what I'm trying to accomplish:

 

object-group network external   network-object host X.X.X.X  object network internal   host 10.0.100.198 object network translated_address  host 192.168.114.6   (This is what I want the remote site to see 10.0.100.198 as) nat (inside,outside) 1 source static internal translated_address destination static external external

 

 Thanks!

 

 

Update: I was able to NAT a private address to a static address assigned by my ISP, and hit the web server from outside, through the wan interface:

 

config firewall policy    

edit 5        

set name "Web Server"        

set srcintf "port2"        

set dstintf "port1"        

set srcaddr "all"        

set dstaddr "Public VIP Group"        

set action accept        

set status disable        

set schedule "always"        

set service "ALL"        

set logtraffic all    

next end

 

config firewall vipgrp    

edit "Public VIP Group"        

set interface "port2"        

set member "Public PC VIP"    

next

end

 

config firewall vip    

edit "Public PC VIP"   

set extip 172.216.8.195      

set extintf "port2"        

set mappedip "10.0.100.198"    

next end

 

I just can't figure out how to do this over a site to site IPSEC VPN, using a static IP of my choice (instead of one assigned by my ISP - 172.216.8.195.)   

1 Solution
emnoc
Esteemed Contributor III

Okay let me clearified if this is a  rt-base-vpn you need to apply the  "SNAT" address in the vpn tunnel cfg

 

e.g

 

config vpn ipsec phase2     edit "YOURTUNNELNAMEHERE"         set keylifeseconds 28000         set src-subnet 192.168.114.6/32    < the  ippool address>         set dst-subnet  x.x.x.x./yy     next end

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
19 REPLIES 19
botsergeant

I got it to work.  The problem was my VIP was set to "any" interface instead of the tunnel interface "COMPANY."

 

My next task was to allow another computer (on the Fortigate side) through the tunnel, without NATting it (but still NATting the other computer.) 

 

So I added the un-NATted IP of the additional computer to the phase 2 selector. 

 

Then I created two more rules (one inbound and one outbound, without any NAT) for the additional computer, on the VPN interface.

 

Either of the rule pairs will work as expected, if I disable the other two rules.  But for some reason, if I enable all four rules at the same time, I get inconsistent ping replies across the tunnel.  I am at a loss as to why.  I can't find any documentation that explains how to do this.   

 

I can't tell you how much I appreciate your help, emnoc.  We are running a VM demo, and I'm trying to evaluate whether our company wants to switch our hardware to FortiGate from Cisco.  I logged a support almost a week ago, (3/22) but the only response to the ticket I've gotten so far was a link to an IP pool document that I have already seen.   

 

 

 

 

 

   

 

 

botsergeant

After a call with Fortinet support it was determined the problem was using named addresses in the phase 2 selector.  For whatever reason, they would not work.  I probably never would have figured this part out on my own, since it apparently was a problem with the software, not configuration.  So if anyone else finds themselves in this predicament, try not using named addresses.

ede_pfau

FYI:

In FortiOS, an ippool specifies source NAT, the source address will be replaced. A VIP does destination NAT, that is, the destination IP address is replaced.

- besides, a VIP is an active construct. The FGT will do proxy arp according to the setting in the VIP, it will respond on behalf of the host with the mapped-to address.

- only creating a VIP will influence how the FGT will react to traffic (as opposed to other configurations which - if not inserted in a policy - will not be noticeable). For proper usage, the VIP needs to be used in a policy as the destination address object.

- yes, best practice is to only use numeric addresses in phase2 of an IPsec VPN. Using name objects can have funny effects. But, AFAIR, some other 3rd party vendor demands the usage of named addresses in a VPN, or it won't work. There's always an exception to the rule.

 

If you are working on a Proof of Concept demo, you should get proper support by a local Fortinet SE. You don't need to reinvent the wheel. Contact your channel manager (if you are a FTNT partner) or your FTNT partner for this. A failed PoC can keep enterprises from looking at FTNT equipment for a long time, a successful one may mean another longtime customer. Still, I'm glad you've found your way to the forums (and that emnoc spends his Easter holidays here :)

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rahull320

I know this is a very old thread but I have the same requirement using 7.0. Could someone explain how I can accomplish the same using the GUI? I'm new to Fortigate and have not yet learned the intricacies of the CLI.

rahull320
New Contributor

I know this is a very old thread but I have the same requirement using 7.0. Could someone explain how I can accomplish the same using the GUI? I'm new to Fortigate and have not yet learned the intricacies of the CLI.

aguerriero

I would say that you create a VIP with extinf set as any and create a firewall policy that uses the vip as a destination. You might not like it but then you would need to edit the VIP in CLI and do "set nat-source-vip enable"

Then your ipsec SAs would be the translated/external address for the the real server.

A diagram would actually help.

rahull320

 

Hope this image make sense. Left side of diagram is our office. Right side is a remote client and I don't have details of their exact setup.FG to Client VPN NAT.png

aguerriero

That should just be a VIP on the left fortigate. External address would be 50.50.2.50 and mapped address would be 192.168.2.50. In the firewall policy the Source interface is the ipsec tunnel and destination interface is the 192.168 interface. The VIP would be applied as the destination.

Then you would have a firewall policy from the left to the right allowing whatever traffic.

The SAs for the ipsec tunnel would use the 50.50 address instead of the 192.168

rahull320

Thank you. I'll try this out when I'm back in the office next week.

shawinfra
New Contributor

Well, that is kind of the case. Right now on the Cisco ASA I have maybe 30-40 site-to-site tunnels to/from clients and maybe 5 of them are setup as a NAT on my end due to conflicting/overlapping subnets. I just want to know the best approach of getting this done on the Fortigate as I'm considering of migrating everything over to the fortigate. My network is pretty small, primarily just 8 VM servers and I setup my end as /32 while my client's end can be a subnet of /24 can may or may not overlap my subnet or they request I NAT so it doesn't conflict their end and with other client's/vendors they may have.

https://19216801.onl/ https://routerlogin.uno/
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors