Being a Cisc0 ASA man for years, I am new to Fortigate,I have just configured my first Site-to-Site VPN.
I had to use NAT to hide the real remote site IP from Local. Traffic can be initiated from either end.
this is the requirements
local 10.50.0.0/24(local) to 10.150.34.0/24(remote-NAT) NATed to172.18.36.0/24(Remote) on Fortigate
so tunnel comes up ok using Local to Remote.
Firewall rules
outbound Local to Remote-NAT( using virtual IP to translate to Remote)
inbound Remote to Local ( using IP pools to translate to Remote-NAT)
This all works, but my question is
On Cisco you only require one NAT rule which will cover both inbound and outbound.
but it looks like on Fortigate I need two one defined in virtual IP and the other in IP pools.
AM I doing something wrong?
Yes, that's correct. That gives you more flexibility in some cases. But I guess it probably came from necessity since the FW handles traffic/session separately by its originating/-ed direction.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1752 | |
1115 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.