We are trying to replace a Cisco router with a FortiGate running 5.4 but are unable to get subnet translation to work as before. Here's the scope:
[ul]The subnet translation comes into play when HQ doesn't want to use 192.168.100.0/24 and 172.24.0.0/24 in their end to avoid risk of overlapping subnets so they have assigned subnets for each:
[ul]In the Cisco router this was simply managed at our end with these two lines:
ip nat inside source static network 192.168.100.0 10.100.1.0 /24 ip nat inside source static network 172.24.0.0 10.100.2.0 /24
We've tried lots of different ways of doing it in the FortiGate (NAT on policy, virtual IPs etc) but not getting the same result.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
shouldn't be too difficult in FOS either.
You've got both methods:
- source NAT is done via IPpools
- destination NAT is done via VIPs (plus arp proxy plus translation of reply traffic)
So, in the outgoing policy 'internal'->'HQ', use an IPpool with netmask /24.
In the incoming policy 'HQ'->'internal', use a VIP for the whole subnet.
For 2 translations/subnets you need 2 policies in each direction.
I hope this is more clear now. Shows us what you've tried/configured and what your results are if it doesn't work as expected.
hi,
shouldn't be too difficult in FOS either.
You've got both methods:
- source NAT is done via IPpools
- destination NAT is done via VIPs (plus arp proxy plus translation of reply traffic)
So, in the outgoing policy 'internal'->'HQ', use an IPpool with netmask /24.
In the incoming policy 'HQ'->'internal', use a VIP for the whole subnet.
For 2 translations/subnets you need 2 policies in each direction.
I hope this is more clear now. Shows us what you've tried/configured and what your results are if it doesn't work as expected.
Ede is right (at least from what I'm reading on your issue). Do what he says and it should work out for you. If you have issues give us a shout.
Mike Pruett
Thanks, it worked! I was pretty close since I tried and IP pool and I tried VIP. I just didn't try them both at the same time.
Good to know you've got it working!
there's a lot of features in FOS, some of them malfunctioning at times, but NAT (and routing) never has let me down over the past 12 years...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.