Hello guys, I need the setup in this case.
My scenario is: where a Site to Site VPN tunnel has been established between Site A and Site B; a Server behind Site A needs to be accessed by using the WAN IP address of Site B. (RDP and WEB port 80)
The VPN is UP, site to site VPN tunnel is already established between the two sites and traffic is flowing between them.
Attached image of my case
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's not a port forwarding problem but a routing one. The Port forwarding itself has nothing different from the server located at Site B. But if those server accessing sources are anywhere on the internet, you have to have the default route at Site A into the tunnel to get back to Site B, which affect to all other devices Site A.
If the source IPs are limited and known, you can set specific routes back into the tunnel for those without changing the default route at Site A.
A way around is to NAT the forwarding policy to change the source to the tunnel interface IP. Don't forget to assign a set of IPs on both ends of the tunnel, preferably a /30. Then you don't have to even add any routes at Site A. The other end of the tunnel would be a connected route automatically.
Hi
We also have a site to site VPN (Fortigate/Zyxel) and want to set up port forwarding. I also understood the problem regarding routing.
Now I have set up a policy route on the other side (Zyxel) but I need to specify a site to site tunnel endpoint there. But the portforwarding comes from the Fortinet WAN and not from a "site to site tunnel"?
How do I have to configure this then?
Hope it is understandable.
Thanks, in
First of all you have to have routing to your Terminalserver so you can be routed to it coming from the FGT on Side B and getting back from Terminalserver to Side A.
The last can be the culprit. I'd recommend doing some VIP with snat here to have the traffic natted to a defined IP so you just need to route to and from this and do not need to reset your default route.
In second you have to make sure that traffic from B to Terminalserver (and backwards) matches the p2 selector(s) of your IPSec between A and B because it it doesn't match it will be dropped.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi there,
This document may meet your requirement as we using SNAT for specific source, however, in your scenario is for specific destination. Please refer to this document for more detail "https://community.fortinet.com/t5/FortiGate/Technical-Note-Policy-Based-IPsec-VPN-Using-Source-NAT-a...
Best regards,
Minh
Hi
Thanks to both.
But I need the original Source IP on the other site, not a NAT IP. Is that possible?
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1028 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.