Using a VIP with a Cisco Policy based VPN

JLP · ‎06-20-2022

I have the following configuration

10.20.x.x/16 [Cisco ASA] <--> [FGT] FGT-INT2 [192.168.5.1/24] -> Downstream subnet10.20.0.0/16

I need for staff on the Cisco Side 10.20/16 network to access a server on the FGt side 10.20/16 remote subnet. The VPN is Policy based.

Ideally I would like to front the server on the right side with a unique IP address (maybe VIP) - but not sure if VIP will work on the FGT side with a Policy based VPN

Ideally 10.20/16 ---> 192.168.5.5 [VIP] -- 10.20.16.1/32

I have configured, the logs show the traffic coming in and sending it to VIP but no traffic is sent to the remote network from the VIP

I am not sure a VIP will work in this scenario tbh.

Any guidance would be appreciated.

jintrah_FTNT · ‎06-20-2022

Hi,

You have overlapping subnets, how could the VIP determine where the 10.20.16.1 host is? Should it send the traffic back to cisco side or to remote network?

So basically, you need to NAT networks at both ends like the example here Administration Guide | FortiGate / FortiOS 6.4.5 | Fortinet Documentation Library

Best regards,

Jin

View solution in original post

jintrah_FTNT · ‎06-20-2022

Hi,

You have overlapping subnets, how could the VIP determine where the 10.20.16.1 host is? Should it send the traffic back to cisco side or to remote network?

So basically, you need to NAT networks at both ends like the example here Administration Guide | FortiGate / FortiOS 6.4.5 | Fortinet Documentation Library

Best regards,

Jin

Using a VIP with a Cisco Policy based VPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website