Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- NAT' ing within a VPN tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 11-17-2010 06:26 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT' ing within a VPN tunnel
We have been asked to setup a VPN tunnel between ourselves and a 3rd party to us. They will be providing access to an application over this tunnel. The tunnel is no problem for us to setup however, the internal ip range we currently use is already in use by them at their end or overlaps a current range of theirs.
I was wondering if it were possible to NAT traffic inside a tunnel on an F310b so we could use a completely new ip list and then NAT that to our users/servers etc. We both use a 10 range internally and they have asked if we could use a 192 range and then NAT that to our 10 range. We have obviously had thoughts about using VIPS but can VIPS be used inside a VPN tunnel?
Any help would be very much appreciated.
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
If you create a tunnel in interface mode, then yes, it can be done. Two policies will have to be created though:
* One for inbound traffic with that VIP defiunition
* A second for outbound traffic with an IP pool
The reason for two is that depending on which side starts the transfer, that policy will get the traffic to/from the tunnel. If the traffic is one way, the you will only need one.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This can also be done without using interface mode, just enable outbound NAT on your encrypt policy, use the command " set natip" on your policy and the command " set use-natip disable" on your tunnel. It works fine, we use it for a lot of our customers.
Willem
__________________________________
FCNSP (Fortinet Certified Network Security Professional)
Willem __________________________________ FCNSP (Fortinet Certified
Network Security Professional)
Not applicable
Created on 11-23-2010 07:19 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Willem
Your level of expertise on these is obvioulsy far greater than mine - could you please tell me in detail how I go about doing what you said on our Firewall - we have v4.2 on a 310b. many thanks for your help.
Andrew
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
take a good advice and configure your tunnel in interface mode. All it takes is to check the " interface mode" option box when creating the phase1. Then you obtain a new interface (Network>Interface) by the name of the phase1. You can handle that like any other interface or port: policy, NAT, VIP, routing,...you name it. The concept is so clear and straightforward it outshadows policy based VPNs by far.
My personal opinion is that things that I don' t understand might work at first if I follow detailed instructions to the point. But then one little deviation of the documented setup, and I will go hunting the error near forever - just because I don' t understand the concept. And one of the best hidden concepts in this world is the policy based VPN from Fortinet.
Now, religious part over. What you are setting up is a common scenario. As such Fortinet has documented the steps in the IPSec VPN Handbook on http://docs.fortinet.com. For 4.00MR2 see pages 40-44 " How to work with overlapping subnets" . The last 2 pages even show the detailed configuration for policy based VPN' s.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andrew,
I partially agree with Ede, when starting with Fortinet it' s a good idea to configure your tunnels in interface mode, it' s easier to work with. So in your case his advice is certainly correct and you would better reconfigure your VPN in interface mode.
I don' t agree with his statements that policy based VPN is totally outshadowed by interface VPN or that it' s concept is hidden/difficult, therefore I will answer your question too:
You need a few things to get this working with policy based VPN:
1) in the GUI, check the box for outbound NAT in your VPN policy.
2) in the CLI, edit that same policy and add the line " set natip x.x.x.x y.y.y.y" where x.x.x.x is the network address and y.y.y.y the subnet mask.
3) in the CLI, edit phase 2 of your VPN tunnel configuration and add the line: " set use-natip disable"
This will give you the same result as natting on interface mode, but because it' s CLI based it' s less obvious and as I said before: if you' re not used to work with the CLI, following Ede' s advice and configuring interface mode so you can do everything in the GUI would be a better idea.
Kind regards,
Willem
Willem
__________________________________
FCNSP (Fortinet Certified Network Security Professional)
Willem __________________________________ FCNSP (Fortinet Certified
Network Security Professional)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right on the spot Willem,
Very good answer.
I do favor interface mode IPsec. As it supports OSPF over the VPN and it has more routing capabilities, on top of the more self explanatory configuration.
I.e. if you have to configure a dialup-vpn to internet connection you get something like this
wan1 all wan1 dialup segment inbound-nat allow-inbound
brrrr.... not so obvious.
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eric,
both have advantages and disadvantages, I' ve got a customer with over 250 VPN' s, if you enable interface mode there, the amount of subinterfaces and the routing table would just grow too big to work with.
I always try to use the most suited mode for the environment I' m working in, but I have to agree that interface mode is certainly more self explanatory.
Anyway, that' s not the discussion here, let' s see wether we helped Andrew out to fix his issue or if he needs some more hints from us.
Kind regards,
Willem
Willem
__________________________________
FCNSP (Fortinet Certified Network Security Professional)
Willem __________________________________ FCNSP (Fortinet Certified
Network Security Professional)
Not applicable
Created on 11-25-2010 04:52 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guys
The more I read the more I get confused. I' m happy setting up a normal vpn tunnel however on this occasion I' ve read the IPSEC VPN' s about overlapping subnets but the config example they gave is for where you have VIPs at either end.
My problem again is ... a supplier of ours needs to access a complete range of private ip' s on our system so lets say 10.66.0.1 to 10.66.0.254. Their internal range is 10.1.0.0/22. They have asked us to NAT our network and suggested 192.168.23.38 to 192.168.23.49.
I think I have to create a VIP for this so have created a vip from the 192. range they suggested to our 10.66 range.
My problems start when I try to create policies as I am not sure what rules with NAT applied etc I need or do I create to VIP' s one for inbound and one outbound.
Thanks for the help so far
Andy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your case you only need one VIP, many-to-many.
The example I hinted at applies for the situation where both networks share the same IP range. This is not the case here.
You define a VIP (as you probably did) on the wan interface,
name: xxx
external IP: 192.168.23.1 <==
mapped to IP: 10.66.0.1 AND ending at 10.66.0.254
static NAT
port forwarding: no
this way, every mapped IP from the internal subnet is mapped onto the 192.168. subnet.
Added benefit: if one of your hosts (e.g. 10.66.0.40) originates traffic to the supplier' s subnet like in ' ping 10.1.0.5' the VIP will take care of your (original) source IP and substitute the 192.168.23.40 for it.
Now your only policy will be:
from tunnel_interface, supplier_subnet
to internal, VIP (!)
service=...
action=ACCEPT
where supplier_subnet is an address defined as ' 10.1.0.0/22' .
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Labels
-
FortiGate
9,373 -
FortiClient
1,904 -
5.2
801 -
FortiManager
795 -
5.4
639 -
FortiAnalyzer
607 -
FortiSwitch
513 -
FortiAP
507 -
FortiClient EMS
470 -
6.0
416 -
5.6
362 -
FortiMail
339 -
SSL-VPN
302 -
IPsec
276 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
225 -
FortiNAC
222 -
5.0
196 -
FortiGuard
150 -
SD-WAN
142 -
FortiAuthenticator
132 -
6.4
128 -
Firewall policy
105 -
FortiGateCloud
104 -
FortiSIEM
103 -
FortiCloud Products
102 -
FortiToken
96 -
Wireless Controller
86 -
Customer Service
82 -
FortiProxy
72 -
High Availability
68 -
4.0MR3
64 -
Fortivoice
61 -
FortiEDR
61 -
Routing
58 -
FortiADC
57 -
ZTNA
57 -
VLAN
56 -
DNS
55 -
BGP
52 -
SAML
49 -
RADIUS
48 -
Authentication
48 -
LDAP
48 -
FortiSandbox
47 -
FortiExtender
46 -
NAT
46 -
FortiGate-VM
45 -
Certificate
44 -
SSO
43 -
FortiDNS
42 -
FortiGate v5.4
35 -
VDOM
35 -
FortiSwitch v6.4
34 -
FortiLink
34 -
Application control
34 -
Interface
33 -
FortiConnect
32 -
Logging
31 -
FortiWAN
28 -
Virtual IP
28 -
Web profile
28 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
25 -
FortiPortal
23 -
SSL SSH inspection
23 -
FortiGate Cloud
21 -
Traffic shaping
21 -
Static route
21 -
FortiSwitch v6.2
20 -
SSID
20 -
Automation
20 -
snmp
19 -
FortiMonitor
18 -
WAN optimization
18 -
OSPF
16 -
System settings
16 -
FortiDDoS
15 -
Security profile
15 -
Web application firewall profile
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
API
14 -
Admin
14 -
IP address management - IPAM
14 -
IPS signature
13 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Traffic shaping policy
11 -
FortiAP profile
11 -
Intrusion prevention
11 -
FortiBridge
10 -
Explicit proxy
10 -
Port policy
10 -
Web rating
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
DNS filter
9 -
Traffic shaping profile
9 -
Fabric connector
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Users
8 -
Antivirus profile
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
DLP profile
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
DoS policy
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2052 | |
| 1170 | |
| 770 | |
| 448 | |
| 341 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.