I'd like to throw in the round a question what puzzles me since some days:
We have a VPN tunnel incomming with 192.168.101.xxx . The system which should be reached has 192.168.9.xxx . The virtual IP mapping I can set defines the incomming external IP as well as the map to IP.
BUT: and here is the tricky thing... The partner needs to use a placeholder-IP. So the partner calls IP 172.29.62.xxx This should be mapped to 192.168.9.xxx but, the rule is not used because the incomming IP is 192.168.101.xxx.
Summary: Incomming 192.168.101.xxx calls 172.26.62.xxx has to be mapped to 192.168.9.xxx.
Can you please help me to understand how to configure such a scenario?
In general you are right- but the VIP get only hit if the external IP would be 172.26.62.xxx. But the external IP is a different one.. I just added a small picture. Maybe this explains it a bit better than with words ;)
You can use any IP you want as the External IP in a VIP as long as that IP is routed to the external interface for that VIP.
In other words if packets destined to 172.26.62.x are being properly routed to your FortiGate's interface then the VIP will cause the FortiGate to reply to ARP requests for the IP that is configured as "external IP" in the VIP. The IP does not have to exist on the actual interface.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.