Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JLP
New Contributor

Using a VIP with a Cisco Policy based VPN

I have the following configuration 

 

 

10.20.x.x/16    [Cisco ASA]   <--> [FGT]     FGT-INT2 [192.168.5.1/24]   -> Downstream subnet10.20.0.0/16

 

I need for staff on the Cisco Side 10.20/16 network to access a server on the FGt side 10.20/16 remote subnet. The VPN is Policy based.

 

Ideally I would like to front the server on the right side with a unique IP address (maybe VIP) - but not sure if VIP will work on the FGT side with a Policy based VPN 

 

Ideally  10.20/16 ---> 192.168.5.5 [VIP] -- 10.20.16.1/32 

 

I have configured, the logs show the traffic coming in and sending it to VIP but no traffic is sent to the remote network from the VIP 

 

I am not sure a VIP will work in this scenario tbh.

 

Any guidance would be appreciated.

1 Solution
jintrah_FTNT
Staff
Staff

Hi,

 

You have overlapping subnets, how could the VIP determine where the 10.20.16.1 host is? Should it send the traffic back to cisco side or to remote network?

 

So basically, you need to NAT networks at both ends like the example here Administration Guide | FortiGate / FortiOS 6.4.5 | Fortinet Documentation Library

 

Best regards,

Jin

View solution in original post

1 REPLY 1
jintrah_FTNT
Staff
Staff

Hi,

 

You have overlapping subnets, how could the VIP determine where the 10.20.16.1 host is? Should it send the traffic back to cisco side or to remote network?

 

So basically, you need to NAT networks at both ends like the example here Administration Guide | FortiGate / FortiOS 6.4.5 | Fortinet Documentation Library

 

Best regards,

Jin

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors