Hello team,
We have the following IP overlap between host_a and host_b:
[(host_a 10.10.10.10/24) site_X] <---- IPSec ----> [site_Y] <---- IPSec ----> [site_Z (host_b 10.10.10.10/24)]
Traffic will be initiated from host_a --- > host_b direction only.
Any recommendations for overcoming this overlap? -
We have no control over [(host_a 10.10.10.10/24) site_X] and would therefore prefer to do any configuration on [site_Y]
Thank you and regards,
fort_tude
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Forti_tude,
You can use VIP (DNAT) object on site Z. For example;
Site Z Conf:
VIP Object(DNAT): 10.10.20.10 -> 10.10.10.10
S2S Phase 2 Conf:
remote subnet: 10.10.10.10
local subnet: 10.10.20.10
Site X Conf:
S2S Phase 2 Conf :
Local Subnet: 10.10.10.10
Remote Subnet: 10.10.20.10
After this configuration. Site Z should access to the application with a new nat IP.
Btw if traffic also initiates from site Z. You should also do nat configuration on site X. If they not, this configuration should be enough. Because Fortigate will not control routing information for return traffic.
Below URL explains this scenario.
Thanks ozkanaltas and srajeswaran.
Please note that there is no direct IPSec S2S vpn between site_X and site_Z.
They just happen to both have an IPSec S2S VPN each to site_Y.
Do your suggestions still apply?
Thank you and regards,
fort_tude
Hello forti_tude,
You can still apply this solution. But be careful at determining new nat IP address. This IP address should not used on sites X,Y and Z.
Site Z Conf:
VIP Object(DNAT): 10.10.20.10 -> 10.10.10.10
S2S Phase 2 Conf:
remote subnet: 10.10.10.10
local subnet: 10.10.20.10
Site Y Conf:
Static route or policy route:
DST: 10.10.10.10
Interface: Tunnel X
---------
DST: 10.10.20.10
Interface: Tunnel Z
S2S Phase 2 Conf on between X and Y tunnel:
remote subnet: 10.10.10.10
local subnet: 10.10.20.10
S2S Phase 2 Conf on between Y and Z tunnel:
remote subnet: 10.10.20.10
local subnet:10.10.10.10
Site X Conf:
S2S Phase 2 Conf :
Local Subnet: 10.10.10.10
Remote Subnet: 10.10.20.10
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.