Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible to Do Double NAT
Would it be possible to do a double nat on a unit in the event that 2 offices have overlapping subnets but need to communicate?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes but that is bad designing and will lead to other problems.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kind of forced into it unfortunately. Have a site to site btwn another firewall and an 80C. The 80C happens to share the same private subnet as a far end of a vpn and I can' t do any pbr on the firewall so I wanted to nat traffic as it went to the 80C and then unnat it when it got to the 80C.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This situation is very common. In that case the best way to do is:
1. Configure the VPN in mode interface.
2. Create a VIP for a virtual LAN (the ' virtual' subnet that peer is going to reach in the VPN).
3. For input traffic use the VIP (destination).
4. For output traffic use a regular firewall policy with NAT enable.
The peer has to do the same for another virtual LAN.
Regards
-- David Olea FSE6
-- David Olea FSE6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The FortiOS handbook has a few pretty good examples for exactly the same scenario.
I' d suggest to start at section " How to work with overlapping subnets" .
You can download the guide from http://docs.fortinet.com/d/fortigate-fortios-handbook-the-complete-guide
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ve done this before and the only real issue I get is with DNS. If you have DNS forwarders to their DNS servers for things like server names and such, it will return the original IP address, which is on your subnet, not the translated subnet. I' ve had both sides setup a secondary DNS zone, company1.local, company2.local, on their side, so it has a different FQDN from their local naming scheme. Then manually populate the A records for important resources.
Example:
Server1: 192.168.101.5
Translatested to 192.168.201.5
Original FQDN: server1.company.net
Translated FQDN: server1.company1.local
This way you at Company 2 can use the FQDN of the translated item and if they switch the device, they just update their DNS. Also makes it so if you are going to map things like drive letters and such the IP addresses aren' t as visible to the end user. Users always questions why they have to use the IP address and not a name like everything else.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Brady
FortiOS has a " DNS translation" feature which might be of good use for you. When set up on a port, a DNS request is passed trough but the reply is translated to a different IP address which you specify.
Have a look at the CLI Reference for starters.
It' s one of the more rare features but might be quite helpful.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!!
http://docs.fortinet.com/uploaded/files/800/fortigate-cli-50.pdf
Page 109