Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
michael_fees
New Contributor

VPN (IPSec or SSL) Client Access to a Fortigate 500D behind a provider network with NAT

Hi, We changed the dedicated line to a dedicated line behind a provider network. Our outside-Interface has a number like 198.18.152.2/28. The external address of the VPN Endpoint must be 212.211.112.160/28. Inside SSL-VPN configuration that means: I can only configure the outside interface as the endpoint for VPN. So in SSL-VPN Settings I can't change [link=https://198.18.152.2<port>]from [link]https://198.18.152.2:<port>[/link][/link] to https://212.211.112.160:<port>. And inside the IPSec Tunnels I can bind only outside interface. The ISAKMP are received at 212.211.112.160 but IPSec is mapped to the outside 198.18.152.2 There is a virtual IP static NAT address mapping external IP address 198.18.152.2 to mapped IP address 212.211.112.160 Has anyone a good suggesstion? Thank you in advance. Michael

1 REPLY 1
Toshi_Esumi
SuperUser
SuperUser

Only way I can see is:

[SSL VPN]

- get the <port> forwarded at the vendor's NAT device to 198.18.152.2 (it's a public IP though)

- the client side uses 212.211.112.160:<port>

[IPsec]

- get UDP 500, 4500 forwarded at the vendor's NAT device to 198.18.152.2

- get ESP protocol passed through the NAT device

 

Otherwise, they wouldn't work. If 198.18.152.2 is actually a public IP reachable from the internet, asking vendor not to NAT is the best option.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors