Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VPN multiple remote subnets SNAT to 1 NAT pool



I have a Fortigate 100E using as firewall/VPN. I encounter the following problem:

Only one remote subnet gets translated (SNAT) on the fortigate, the second one doesn't get translated.


SEC (VPN) # diagnose sniffer packet any 'dst host' interfaces=[any] filters=[dst host] 16.538757 -> syn 3019323432 16.538863 -> syn 3019323432 16.538869 -> syn 3019323432 16.538875 -> syn 3019323432 16.556685 -> ack 533124325 16.556731 -> ack 533124325 16.556736 -> ack 533124325 16.556741 -> ack 533124325


SEC (VPN) # diagnose sniffer packet any 'dst host' interfaces=[any] filters=[dst host] 15.330363 -> syn 508999052 16.334103 -> syn 508999052 18.347741 -> syn 508999052 22.350150 -> syn 508999052


A remote site (sonicwall) has two subnets that needs to connect to the local site (fortigate 100E) with multiple subnets.

Remote subnets and These subnets are grouped in "Remote-SiteA-grp"

Local subnets, and These subnets are grouped in "Local-Application-grp"

On the fortigate I have a IP pool

Name: "SNAT-Remote-SiteA" 

Type: Overload

External IP Range: - 


On the fortigate I configured the IPsec tunnel, the tunnel is UP.


Incoming Policy:

Name: From_L2L_Remote-SiteA

Incoming Interface: L2L_Remote-SiteA

Outgoing Interface: VPN-external

Source: Remote-SiteA-grp

Destination: Local-Application-grp


NAT: enabled

IP Pool Configuration: Use Dynamic IP Pool

Using pool: SNAT-Remote-SiteA


There is also an outgoing policy:

Name: To_L2L_Remote-SiteA

Incoming Interface: VPN-external

Outgoing Interface: L2L_Remote-SiteA

Source: Local-Application-grp

Destination: Remote-SiteA-grp


Any idea what goes wrong here?



Hi paulvisser, try to perform debug flow on FGT to have more understanding on the packet flow. Refer to for debug flow.




From my understanding that is your scenario.

Could you please check if you have the right routing entries and the phase2 settings are correct.

Untitled Diagram.drawio.png


Next, we need the formatted output from the debug flow as @ESCHAN_FTNT has written.

- Have you found a solution? Then give your helper a "Like" and mark the solution.
Top Kudoed Authors