Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rlewcosa
New Contributor II

Created on ‎12-30-2024 07:19 AM

Policy Question - NAT IP Pool

Howdy, I just have a question on a firewall policy that I have been playing around with. I have an IPSec tunnel between my agency and our parent agency allowing traffic to 2 subnets on their end (192.168.139.x). On my end, we have a supernet (172.19.41.x) passing clients using their application to their servers over that tunnel and everything is working well. However, the local LAN at my agency (192.168.56.x) is on a subnet that conflicts with one at the parent agency's, so we cannot pass that traffic over the IPSec tunnel. In an attempt to get around that, I created a firewall policy to pass the traffic but with a NAT IP Pool that falls within the allowed supernet, so the conflicting 192.168.56.x subnet is disguised as the allowed 172.19.41.x subnet. This works going out but does not work coming in. I can ping the parent agency's application server, but I can't connect to it from one of the end user computers. I have the two firewall policies for this below (sanitized), can anyone tell me if I have done anything incorrectly? We have a workaround so this is not critical per se I am just curious about the proper way to get this working. Thanks for any suggestions!

 

Router-01 # config firewall policy

Router-01 (policy) # edit "27"

Router-01 (27) # show
config firewall policy
edit 27
set name "LAN-to-ParentAgency"
set uuid 58b8379a-bbca-51ef-35e1-ad351d4b0010
set srcintf "Local-LAN"
set dstintf "Parent-VPN"
set action accept
set srcaddr "Local-LAN"
set dstaddr "Parent-LAN"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "Supernet"
next
end


config firewall policy
edit 28
set name "ParentAgency-to-LAN"
set uuid 9e6cee52-bbca-51ef-d114-3e824fced3b6
set srcintf "Parent-VPN"
set dstintf "Local-LAN"
set action accept
set srcaddr "Parent-LAN"
set dstaddr "Local-LAN"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "Supernet"
next
end

 

Labels:
190
0 Kudos
5 REPLIES 5
dingjerry_FTNT
Staff
Staff

Created on ‎12-30-2024 07:44 AM

Hi @rlewcosa ,

 

"but I can't connect to it from one of the end user computers."

 

I assume that this is still from Local-LAN to Parent-LAN.  If so, this is still using policy 27.  Policy 28 is for the traffic initiated from the Parent-LAN, not for the return traffic (initiated from Local-LAN to Parent-LAN).

 

I hope that your Parent agency is using FortiGate as well.  if so, you need to run the debug flow commands on both ends to see why it is not connected.

 

And you did not share your firmware version, so the following link is for the latest version:

 

https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/38044/using-the-debug-flow-t...

 

You can even switch the version back to 6.4.0:

 

dingjerry_FTNT_0-1735573466292.png

 

Regards,

Jerry
174
0 Kudos
ebilcari
Staff
Staff

Created on ‎12-30-2024 07:47 AM

If I get it right, I think you don't need to NAT the return traffic in policy 28.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
170
0 Kudos
mle2802
Staff
Staff

Created on ‎12-30-2024 12:03 PM

Hi @rlewcosa,

You can try this document to overcome the duplicate subnet issue https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-an-IPsec-tunnel-with-Over...

Regards,

120
0 Kudos
Renante_Era
Staff
Staff

Created on ‎12-30-2024 01:44 PM

You'll need Virtual IP for that to work as shown in the following KB: 

Site-to-site VPN with overlapping subnets | FortiGate / FortiOS 7.4.3 | Fortinet Document Library

BSCS, BCIS, MIT
104
0 Kudos
HostingSpelll
New Contributor

Created on ‎12-31-2024 03:03 AM

It seems like the NAT settings on the incoming traffic could be causing the issue. Try disabling NAT for the return traffic and ensure the routing and NAT pool are configured correctly. Check the firewall logs for any dropped packets or errors during traffic processing.

62
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.