Hi All,
We have configured an interface based VPN to the remote client (Palo Alto FW). Tunnel is up and working fine.
Now the customer has asked to implement NAT for all of my subnets currently connected to my Fortigate (including the Dialup vpn users subnet).
Like the sources (prod,Training, Dialup vpn users) to be NATed to a single IP (172.16.100.x/32) and then go to IPSec tunnel, on the remote side only single IP is visible to them (i.e 172.16.100.x/32)
As the traffic is only unidirectional, so i am following the solution provided on this KB:
Now, my question is that, i've different subnets like 172.16.10.x/24 ,10.10.10.x/24 and Dialup subnet (10.80.10.x/24)
and i want to NAT it to single IP, you can say 172.16.100.x/32 . so that remote side can see only one IP, is this possible?
the second question is this, do i need to change my current Route-based vpn in order to implement above requiremnet by selecting the Post-NAT Ip in phase 2 selectors or do i need to create a new Policy-based VPN to implement the scenario mentioned above?
Q1 yes
Q2 yes
Put the POST_NAT address in the phase2 settings. I do this in a FGT-2-SRX
config firewall policy edit 89 set name "fgt2-branchSRX345" set srcintf "internal" set dstintf "FGT2BRANCHSRXSCHOOL_SYS" set srcaddr "192.168.1.0" "192.168.4.0" "192.168.11.0" set dstaddr "LOCAL_SUBNET" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "SRXremoteofcSYS" set nat enable
The address of "SRXremoteofcSYS" is my phase2 local-subnet for IPSEC-PH2 traffic selectors.
Ken Felix
PCNSE
NSE
StrongSwan
Thanks Ken,
Please clarify one thing regarding Q2: is the 'yes' count for Route-Based VPN or it counts for Policy-Based VPN.
Apologies for my dumbness :D
route base
Ken Felix
PCNSE
NSE
StrongSwan
Thank you so much Ken,
Appreciate it
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.