Hi all,
I'm new to Fortinet (normally Cisco) so I'm struggling to get my head around NAT within a VPN tunnel.
I have a single server on my LAN that I would like to make accessible over a IPSEC VPN but I would like the servers real IP to be hidden to a single IP address that'd dedicated to that server. The server both initiates and responds so need the NAT static and bi-directional
So I've setup a VIP between the 1 internal IP and the public IP address that I am using in the tunnel. VPN tunnel has been made with the source for phase2 as single VIP address. I am only testing inbound at the moment, so the far end is trying to hit my VIP address. The VPN tunnel is up, however all traffic from the far end towards the VIP does not seem to NAT and make it my device. My policy for testing allows all traffic from that VPN to anywhere and more strange I don't see any hits for the traffic in the forwarded traffic log, but I do see it in the local traffic log, where it's denied by the local-in-policy.
As a test I removed the NAT and changed the phase2 to be the servers real address and it got straight in with no problems. This is not a solution I can retain as the intended VPN, in it's final location, will have overlapping IP address so I want to advertise out my server on a public IP address.
Am I doing something fundamentally wrong? Is a VIP bi-directional. or have I completely missed the point somewhere?
As a side, my internet side is a /24 and the Foritate's external IP was in that range as well as the VIP address I am using, thinkking this was maybe the problem I split the Fortiate applicance to be a /25 and then used the other /25 as the VIP range but that seemed to make no difference.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Welcome to the forums.
After you split the subnets, do you still see that same situation? No NAT and denied. Now in the policy section, ensure you have an inward facing policy and the the VIP definition is the destination on that policy. For the outbound policy, you will need to create an IP pool with that same single IP address the outside world sees, and use that in the policy from the server back out the tunnel.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
NAT in a ipsec tunnel is doable SNAT or DNAT if it's a route-base.
Treat the interface of the route-based just like a "interface"
Make sure to use the post-nat addres in the ipsec-SA selector and not the "pre-nat address"
Ken Felix
PCNSE
NSE
StrongSwan
Hi Bob,
Thanks for taking the time to reply to me. I believe I did see the same result after splitting the subnet, but I'd have to test this again to make sure, I tried a few things so don't want to say for definite. Ideally, I'd like not to split the subnet and just have the wan interface in the /24 and also the VIP's the same range. Is there any pro's or con's to either approach?
So, in Fortinet are the VIP's just uni-directional which is why you need the policy for outbound to have the VIP address as a NAT pool?
I've updated my inbound policy to allow to the VIP address, for the outbound, I assume that the source will be the servers real internal IP address as it's this policy that applies the NAT pool.
Also, for my VIP I've put the source address as the VPN tunnel in question, is this correct or should it be the WAN interface?
Are there any debugs I can run whilst testing this to help further troubleshoot?
Having done the above I will test again in the morning when my contact the far end is available and will post the result.
Thanks again.
Jon
So, in Fortinet are the VIP's just uni-directional which is why you need the policy for outbound to have the VIP address as a NAT pool?
I'm not bob but yes the VIP is DNAT and uni-directional traffic returned by the session will be allow ( statefull ) but if that server want to originate it would need what you stated a "fwpolicy and ippool for SNAT "
Ken
PCNSE
NSE
StrongSwan
Thanks Ken,
I'll give that a test again in the morning and see how that goes.
Jon
Thanks Ken. Busy at work. Limited time on the forums...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Aren't we all ;)
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.