Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mardal
New Contributor

NAT rule on incomming VPN traffic

My dear community,

 

I'd like to throw in the round a question what puzzles me since some days:

We have a VPN tunnel incomming with 192.168.101.xxx . The system which should be reached has 192.168.9.xxx . The virtual IP mapping I can set defines the incomming external IP as well as the map to IP.

BUT: and here is the tricky thing... The partner needs to use a placeholder-IP. So the partner calls IP 172.29.62.xxx This should be mapped to 192.168.9.xxx but, the rule is not used because the incomming IP is 192.168.101.xxx.

Summary: Incomming 192.168.101.xxx calls 172.26.62.xxx has to be mapped to 192.168.9.xxx.

 

Can you please help me to understand how to configure such a scenario?

 

thanks  a lot in advance!

4 REPLIES 4
AEK
Honored Contributor

Hello Mardal

I think you want to configure a VIP, with external IP 172.26.62.x, mapped IP 192.168.9.x.

You can find this under Policy & Objects > Virtual IP.

Then FW Policy has to be configured with the VIP as destination address.

AEK
AEK
mardal
New Contributor

Hi AEK,

 

thanks for your reply.

In general you are right- but the VIP get only hit if the external IP would be 172.26.62.xxx. But the external IP is a different one.. I just added a small picture. Maybe this explains it a bit better than with words ;)Capture.JPG

gfleming

You can use any IP you want as the External IP in a VIP as long as that IP is routed to the external interface for that VIP.

 

In other words if packets destined to 172.26.62.x are being properly routed to your FortiGate's interface then the VIP will cause the FortiGate to reply to ARP requests for the IP that is configured as "external IP" in the VIP. The IP does not have to exist on the actual interface.

 

 


Hope this helps.

Cheers,
Graham
AEK
Honored Contributor

Your partner wants it like that because he is probably already using 192.168.x.x internally.

The packet from partner with destination IP 172.26.62.x will reach your FortiGate as your partner has already added a route  that routes such traffic toward your FGT.

Your FGT will accept this packet as you de defined this VIP 172.26.62.x, whatever is your external IP.

AEK
AEK
Labels
Top Kudoed Authors