Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daniyal
New Contributor

Unidirectional NAT through IPSEC tunnel.

Hi All,

We have configured an interface based VPN to the remote client (Palo Alto FW). Tunnel is up and working fine.

Now the customer has asked to implement NAT for all of my subnets currently connected to my Fortigate (including the Dialup vpn users subnet).

 

Like the sources (prod,Training, Dialup vpn users) to be NATed to a single IP (172.16.100.x/32) and then go to IPSec tunnel, on the remote side only single IP is visible to them (i.e 172.16.100.x/32)

 

As the traffic is only unidirectional, so i am following the solution provided on this KB:

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33885&sliceId=...

 

Now, my question is that, i've different subnets like 172.16.10.x/24 ,10.10.10.x/24  and Dialup subnet (10.80.10.x/24)

and i want to NAT it to single IP, you can say 172.16.100.x/32 . so that remote side can see only one IP, is this possible?

 

the second question is this, do i need to change my current Route-based vpn in order to implement above requiremnet by selecting the Post-NAT Ip in phase 2 selectors or do i need to create a new Policy-based VPN to implement the scenario mentioned above?

4 REPLIES 4
emnoc
Esteemed Contributor III

Q1 yes

 

Q2 yes

 

Put the POST_NAT address in the phase2 settings. I do this in a FGT-2-SRX

 

config firewall policy edit 89 set name "fgt2-branchSRX345" set srcintf "internal" set dstintf "FGT2BRANCHSRXSCHOOL_SYS" set srcaddr "192.168.1.0" "192.168.4.0" "192.168.11.0" set dstaddr "LOCAL_SUBNET" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "SRXremoteofcSYS" set nat enable

 

The address of "SRXremoteofcSYS" is my phase2 local-subnet for IPSEC-PH2 traffic selectors.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
daniyal
New Contributor

Thanks Ken,

Please clarify one thing regarding Q2: is the 'yes' count for Route-Based VPN or it counts for Policy-Based VPN.

Apologies for my dumbness :D

 

emnoc
Esteemed Contributor III

route base

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
daniyal
New Contributor

Thank you so much Ken,

Appreciate it 

Top Kudoed Authors