Howdy, I just have a question on a firewall policy that I have been playing around with. I have an IPSec tunnel between my agency and our parent agency allowing traffic to 2 subnets on their end (192.168.139.x). On my end, we have a supernet (172.19.41.x) passing clients using their application to their servers over that tunnel and everything is working well. However, the local LAN at my agency (192.168.56.x) is on a subnet that conflicts with one at the parent agency's, so we cannot pass that traffic over the IPSec tunnel. In an attempt to get around that, I created a firewall policy to pass the traffic but with a NAT IP Pool that falls within the allowed supernet, so the conflicting 192.168.56.x subnet is disguised as the allowed 172.19.41.x subnet. This works going out but does not work coming in. I can ping the parent agency's application server, but I can't connect to it from one of the end user computers. I have the two firewall policies for this below (sanitized), can anyone tell me if I have done anything incorrectly? We have a workaround so this is not critical per se I am just curious about the proper way to get this working. Thanks for any suggestions!
Router-01 # config firewall policy
Router-01 (policy) # edit "27"
Router-01 (27) # show
config firewall policy
edit 27
set name "LAN-to-ParentAgency"
set uuid 58b8379a-bbca-51ef-35e1-ad351d4b0010
set srcintf "Local-LAN"
set dstintf "Parent-VPN"
set action accept
set srcaddr "Local-LAN"
set dstaddr "Parent-LAN"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "Supernet"
next
end
config firewall policy
edit 28
set name "ParentAgency-to-LAN"
set uuid 9e6cee52-bbca-51ef-d114-3e824fced3b6
set srcintf "Parent-VPN"
set dstintf "Local-LAN"
set action accept
set srcaddr "Parent-LAN"
set dstaddr "Local-LAN"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "Supernet"
next
end
Solved! Go to Solution.
Hi @rlewcosa,
You can try this document to overcome the duplicate subnet issue https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-an-IPsec-tunnel-with-Over...
Regards,
Hi @rlewcosa ,
"but I can't connect to it from one of the end user computers."
I assume that this is still from Local-LAN to Parent-LAN. If so, this is still using policy 27. Policy 28 is for the traffic initiated from the Parent-LAN, not for the return traffic (initiated from Local-LAN to Parent-LAN).
I hope that your Parent agency is using FortiGate as well. if so, you need to run the debug flow commands on both ends to see why it is not connected.
And you did not share your firmware version, so the following link is for the latest version:
You can even switch the version back to 6.4.0:
If I get it right, I think you don't need to NAT the return traffic in policy 28.
Hi @rlewcosa,
You can try this document to overcome the duplicate subnet issue https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-an-IPsec-tunnel-with-Over...
Regards,
I believe this is the solution in addition to disabling NAT on the incoming. I've set up the VIP and I'm able to ping between computers on each end. I'm still having trouble with the application connecting but I think that is an issue within the app itself so I'll have to ask their engineer to look at it with me. Thanks!
You'll need Virtual IP for that to work as shown in the following KB:
Site-to-site VPN with overlapping subnets | FortiGate / FortiOS 7.4.3 | Fortinet Document Library
It seems like the NAT settings on the incoming traffic could be causing the issue. Try disabling NAT for the return traffic and ensure the routing and NAT pool are configured correctly. Check the firewall logs for any dropped packets or errors during traffic processing.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.