Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CyberMuz
New Contributor

Source NAT with miltiple IPsec using the same local lange

Hi all,

 

I need some advice with the IPsec and Virtual IP setup on the FortiOS (v6.4.14).

The diagram below show the required setup. I have multiple IPsec links established between Fortigate and external partners. My goal is to have the same (virtual) IP range 10.50.1.0/24 as local range for IPsec tunnels, the remote range is defined by each partner independently. The external partners would then target a Virtual IP address 10.50.1.1 and 10.50.1.2 that are mapped to internal 'real' hosts 10.0.1.1 and 10.0.1.2.

To set this up I have configured two VIPs and with this the partners are able to connect to internal servers. But with this setup I have some issue with Source NAT for the servers in the Internal network.

 

fortigate_ipsec_vip.drawio.png

 

 

For example, when internal servers (10.0.1.1, 10.0.1.2) are establishing connection over some external link like the WAN interface to the internet the source NAT is applied but the outgoing package does not have external IP (200.200.200.1), instead the (reverse) mapping from the VIP is applied and package leaves for the Internet with source address 10.50.1.1.

I know that this is because the extintf is set to "any" in the VIP, and I also know that I can resolve this if I manually set the NAT IP Pool to "User Dynamic IP pool" and manually configure the Public IP as the outgoing pool for Source NAT.

 

But this the best way to achieve my goal? Is there any better way where I would not need to manually set the IP NAT pool in all firewall policies where internal servers are source?

I'm fairly new to Fortigate and some of it's concepts are still not clear to me.

 

This is mu current VIP configuration:

config firewall vip
edit "Prod server 1"
set extip 10.50.1.1
set mappedip "10.0.1.1"
set extintf "any"
next
edit "Prod server 2"
set extip 10.50.1.2
set mappedip "10.0.1.2"
set extintf "any"
next
end


I tried to change the extintf "any" to specific incoming interface, but this only work for one interface, when I try to add second interface it's reported as duplicate. It looks like there can be only one combination of IP addresses, regardless of the extintf.

 

If I try to set the same IPs but different interfaces I'm getting an arror

 

config firewall vip
edit "Prod server 1"
set extip 10.50.1.1
set mappedip "10.0.1.1"
set extintf "PartnerONE"
next
edit "Prod server 2"
set extip 10.50.1.1
set mappedip "10.0.1.1"
set extintf "PartnerTWO"
next
end


This is the error I get:

The virtual IP is overlapped with another VIP entry-Prod server 1.

object check operator error, -5, discard the setting

 

Are there any other better ways for configuring the NAT on Fortigate?

1 REPLY 1
Renante_Era
Staff
Staff

 

The remote subnets are different so I'm not entirely sure why you need to configure DNAT like that.

But anyway, I I tried similar command on my FGT (FortiOS 7.2.6) and it's working:

config firewall vip
edit "Prod_server_1"
set extip 10.50.1.1
set mappedip "10.0.1.100"
set extintf "wan1"
next
edit "Prod_server_2"
set extip 10.50.1.1
set mappedip "10.0.1.100"
set extintf "wan2"
next
end

 

 

However, I spun a VM with FortiOS 6.4.14 and I end up with the same error

VIP.jpg

 

Note: FortiOS 6.4 is out of engineering support.