Need to NAT Traffic leaving a vpn Tunnel

Report Inappropriate Content · ‎05-19-2011

I' m from Cisco Land (don' t laugh

) and have a fortigate that I am working with. I want all traffic going across a site to site vpn tunnel to be nat' d outbound to appear to be the inside IP address of the Fortigate. VPN Tunnel is already active, but we have changed some internal IPs and figured it might be easier to do this than deal with the remote site' s IT folks. Any assistance is appreciated.

rwpatterson · ‎05-19-2011

Welcome to the forums (And Forti-land). Obviously, the ' inside' address would have to be Internet routeable for this to work.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎05-19-2011

Why is that? Maybe i didn' t phrase it right, but basically I want the other side of the tunnel to see all the traffic as coming from a single inside ip from my side instead of the various native ips. In Cisco World I can do that with a policy nat saying all traffic from x to y, nat to z address and z address doesn' t have to be a public ip address

rwpatterson · ‎05-19-2011

Well if on the inside you' re using private IP addresses, then in the Internet browsing policy, you will have to check the NAT box anyway. This will NAT all traffic to the interface' s IP address. That IP address can be amended by using an IP pool with the address(es) you wish to appear on the outside. Hope that helps.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎05-20-2011

You can easily do this but the way depends on how you set up the VPN. I assume (and hope) you created the phase1 with checking " Interface Mode" . This yields a tunnel interface similar to a physical interface. You only need a route to direct traffic to the tunnel and you' re done. Now for source NAT (changing all source addresses to a different address) you just check " NAT" in the policy " internal" -> " tunnel" . All traffic will appear to come from the internal IP address of the FGT. If you havent' t created the tunnel in interface mode then I' d recommend to re-create it. You can do source NAT with policy-based VPNs as well but it' s really a PITA from the user' s perspective. The paradigm of an interface is so easy in comparison and more so if you use advanced features like NAT, PAT, routing, load-balancing etc. It' s not much effort to create an interface-based VPN, just check that control when creating phase1 - it cannot be reverted later.

Ede Kernel panic: Aiee, killing interrupt handler!

ede_pfau · ‎05-20-2011

@Bob: OP is talking about VPN tunnel traffic not internet browsing. So NAT is an option but not required. Obviously they' ve been using private addresses all the time across the tunnel.

Ede Kernel panic: Aiee, killing interrupt handler!

rwpatterson · ‎05-20-2011

I see.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎05-20-2011

Ede, thanks I did not create the VPN tunnel. It was already setup without that option selected. I can recreate it, but don' t know the PreShared Key. Is there a way to recover that or will I have to contact the remote end and get it from them? -Matthew

rwpatterson · ‎05-20-2011

If you cannot get it from the remote end, there is a way to do it if you have a backup of the config. Let' s know if you need that, and I' ll work out a writeup of how to do it.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎05-20-2011

Bob, That would be helpful. Thanks!

Need to NAT Traffic leaving a vpn Tunnel

Nominate a Forum Post for Knowledge Article Creation