Hello,
I have a Fortigate 100D w/ an IPSEC tunnel to a vendor. Currently one local network is configured (10.x.x.x/24). We are planning on adding a wireless subnet w/ different IP scheme of 192.x.x.x/24 which needs access across the VPN. For various reasons the vendor on the other end cannot add this new network as a remote network on their Cisco endpoint.
The IPSEC tunnel is interface-based. Would it be as simple as to use the 'set nat-ip' option in the wireless --> VPN policy to NAT the 192.x.x.x IP to an IP on the existing (10.x.x.x) network? If so does it matter if this IP is already being used by something else (e.g. the firewall's interface IP on that subnet, or a PC on the 10.x.x.x network?)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To apply source NAT (which is needed for this), create an IP pool, and specify NAT with IP pool in the policy WiFi -> tunnel.
This address should not be used elsewhere in the 10.x.x.x subnet to be unambiguous. The remote side cannot tell whether traffic is coming from an original 10.x.x.x host or a NATted WiFi host then, so no changes to the Quick Mode settings of your VPN.
The 'set-nat-ip' option is IMHO irrelevant here (context is policy-based VPN).
ede_pfau wrote:
This address should not be used elsewhere in the 10.x.x.x subnet to be unambiguous.
This point cannot be stressed highly enough. Once an address is defined in an IP pool, it cannot be used anywhere else on that FGT unit (Except for NATting an outbound policy or VPN tunnel). Even if simply sitting unused in an IP pool, that IP/subnet will turn into a black hole. All references to it in policies and such will cease to function, so be careful with how wide you make this IP pool. A single IP in the range is usually enough to get the job done.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.