Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rharrison
New Contributor

Created on ‎05-10-2019 10:36 AM

Routing between two routers behind NAT via a non NAT router

I have two networks 172.20.1.0/24 & 172.20.2.0/24 both behind NAT routers with 60E's connected to those routers. I have configured SITE to SITE ipsec for the corporate network on a static IP 100D routing  172.18.0.0/16 for both SITES and this works fine.

 

But now I would like to ping SITE 1 172.20.1.1 from SITE 2 172.20.2.1 and I'm not sure if I can config something up on the PHASE2 connectors at each site to allow the packets to flow between the two NATed routers via the static IP Router. 

 

See diagram attached

Fortigate-NAT to NAT.jpg
Preview file
34 KB
2657
0 Kudos
1 Solution
Dai
New Contributor III

Created on ‎05-13-2019 05:51 AM

Hi. Follow the steps below to check if a packet can be received by the device. <Configured on each device> Trusted Host 172.20.1.0 / 255.255.255.0 Trusted Host 172.20.2.0 / 255.255.255.0 [link]https://kb.fortinet.com/k...nk.do?externalID=10868[/link] <SITE 2 Fortigate> Firstly make sure you are not pinging 172.20.1.1 <SITE 1 Fortigate> Connect to the FortiGate CLI then type the following commands:   diag debug flow filter saddr 172.20.2.1 diag debug flow show console enable diag debug enable diag debug flow trace start 10 <SITE 2 Fortigate> Once this is done start pinging 172.20.1.1 Observe the FortiGate CLI output. 1) what route/interface the packets match. 2) what policy it hit.

View solution in original post

1939
0 Kudos
2 REPLIES 2
Dai
New Contributor III

Created on ‎05-13-2019 05:51 AM

Hi. Follow the steps below to check if a packet can be received by the device. <Configured on each device> Trusted Host 172.20.1.0 / 255.255.255.0 Trusted Host 172.20.2.0 / 255.255.255.0 [link]https://kb.fortinet.com/k...nk.do?externalID=10868[/link] <SITE 2 Fortigate> Firstly make sure you are not pinging 172.20.1.1 <SITE 1 Fortigate> Connect to the FortiGate CLI then type the following commands:   diag debug flow filter saddr 172.20.2.1 diag debug flow show console enable diag debug enable diag debug flow trace start 10 <SITE 2 Fortigate> Once this is done start pinging 172.20.1.1 Observe the FortiGate CLI output. 1) what route/interface the packets match. 2) what policy it hit.
1940
0 Kudos
rharrison
New Contributor
In response to Dai

Created on ‎05-13-2019 11:24 PM

Thanks for this Dai

1892
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.