- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- NAT in a IPSEC VPN Tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT in a IPSEC VPN Tunnel
Hi all,
I'm new to Fortinet (normally Cisco) so I'm struggling to get my head around NAT within a VPN tunnel.
I have a single server on my LAN that I would like to make accessible over a IPSEC VPN but I would like the servers real IP to be hidden to a single IP address that'd dedicated to that server. The server both initiates and responds so need the NAT static and bi-directional
So I've setup a VIP between the 1 internal IP and the public IP address that I am using in the tunnel. VPN tunnel has been made with the source for phase2 as single VIP address. I am only testing inbound at the moment, so the far end is trying to hit my VIP address. The VPN tunnel is up, however all traffic from the far end towards the VIP does not seem to NAT and make it my device. My policy for testing allows all traffic from that VPN to anywhere and more strange I don't see any hits for the traffic in the forwarded traffic log, but I do see it in the local traffic log, where it's denied by the local-in-policy.
As a test I removed the NAT and changed the phase2 to be the servers real address and it got straight in with no problems. This is not a solution I can retain as the intended VPN, in it's final location, will have overlapping IP address so I want to advertise out my server on a public IP address.
Am I doing something fundamentally wrong? Is a VIP bi-directional. or have I completely missed the point somewhere?
As a side, my internet side is a /24 and the Foritate's external IP was in that range as well as the VIP address I am using, thinkking this was maybe the problem I split the Fortiate applicance to be a /25 and then used the other /25 as the VIP range but that seemed to make no difference.
Labels:
- Labels:
-
6.0
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
After you split the subnets, do you still see that same situation? No NAT and denied. Now in the policy section, ensure you have an inward facing policy and the the VIP definition is the destination on that policy. For the outbound policy, you will need to create an IP pool with that same single IP address the outside world sees, and use that in the policy from the server back out the tunnel.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT in a ipsec tunnel is doable SNAT or DNAT if it's a route-base.
Treat the interface of the route-based just like a "interface"
Make sure to use the post-nat addres in the ipsec-SA selector and not the "pre-nat address"
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bob,
Thanks for taking the time to reply to me. I believe I did see the same result after splitting the subnet, but I'd have to test this again to make sure, I tried a few things so don't want to say for definite. Ideally, I'd like not to split the subnet and just have the wan interface in the /24 and also the VIP's the same range. Is there any pro's or con's to either approach?
So, in Fortinet are the VIP's just uni-directional which is why you need the policy for outbound to have the VIP address as a NAT pool?
I've updated my inbound policy to allow to the VIP address, for the outbound, I assume that the source will be the servers real internal IP address as it's this policy that applies the NAT pool.
Also, for my VIP I've put the source address as the VPN tunnel in question, is this correct or should it be the WAN interface?
Are there any debugs I can run whilst testing this to help further troubleshoot?
Having done the above I will test again in the morning when my contact the far end is available and will post the result.
Thanks again.
Jon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, in Fortinet are the VIP's just uni-directional which is why you need the policy for outbound to have the VIP address as a NAT pool?
I'm not bob but yes the VIP is DNAT and uni-directional traffic returned by the session will be allow ( statefull ) but if that server want to originate it would need what you stated a "fwpolicy and ippool for SNAT "
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ken,
I'll give that a test again in the morning and see how that goes.
Jon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ken. Busy at work. Limited time on the forums...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aren't we all ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
Labels
-
FortiGate
6,450 -
FortiClient
1,288 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.