My dear community,
I'd like to throw in the round a question what puzzles me since some days:
We have a VPN tunnel incomming with 192.168.101.xxx . The system which should be reached has 192.168.9.xxx . The virtual IP mapping I can set defines the incomming external IP as well as the map to IP.
BUT: and here is the tricky thing... The partner needs to use a placeholder-IP. So the partner calls IP 172.29.62.xxx This should be mapped to 192.168.9.xxx but, the rule is not used because the incomming IP is 192.168.101.xxx.
Summary: Incomming 192.168.101.xxx calls 172.26.62.xxx has to be mapped to 192.168.9.xxx.
Can you please help me to understand how to configure such a scenario?
thanks a lot in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Mardal
I think you want to configure a VIP, with external IP 172.26.62.x, mapped IP 192.168.9.x.
You can find this under Policy & Objects > Virtual IP.
Then FW Policy has to be configured with the VIP as destination address.
Hi AEK,
thanks for your reply.
In general you are right- but the VIP get only hit if the external IP would be 172.26.62.xxx. But the external IP is a different one.. I just added a small picture. Maybe this explains it a bit better than with words ;)
You can use any IP you want as the External IP in a VIP as long as that IP is routed to the external interface for that VIP.
In other words if packets destined to 172.26.62.x are being properly routed to your FortiGate's interface then the VIP will cause the FortiGate to reply to ARP requests for the IP that is configured as "external IP" in the VIP. The IP does not have to exist on the actual interface.
Hope this helps.
Your partner wants it like that because he is probably already using 192.168.x.x internally.
The packet from partner with destination IP 172.26.62.x will reach your FortiGate as your partner has already added a route that routes such traffic toward your FGT.
Your FGT will accept this packet as you de defined this VIP 172.26.62.x, whatever is your external IP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.