Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: VPN site to Site with overlap subnet Nat 1 add...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN site to Site with overlap subnet Nat 1 address
Hello all,
I have a situation
Site A
subet 192.168.100.x/24
subnet 10.80.14.x/24
Site B
Subnet 192.168.100.x/24
traffic will only be initiated from site A --> 10.80.14.x
The vpn is up and running, but we want to NAT from site A to B.
If a user from site A pings to 10.80.255.254 it must be natted to 192.168.100.6 over the vpn to the other side.
We have all the policies in place.
But it is still not working.
Could someone send me in the right direction?
Which settings do i need to make to change the destination adress 10.80.255.254 natted to 192.168.100.6?
The package should be changed from:
src addr: 10.80.14.x --> dest addr: 10.80.255.254
src addr: 10.80.14.x --> dest addr: 192.168.100.6 (translated on the fortigate)
Thank you very much for spending time !
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do that with one-for-one static nat'ing on the ASA, but what I would on the cisco is something like this but in the reverse.
http://socpuppet.blogspot.com/2014/05/source-nat-based-on-destination-for-vpn.html
And on the fortigate you would source NAT the siteA address behind a ip-pool attached to your fwpolicy(s) and in your vpn-phase2 proxy-ids you install the "cisco ASA address that mask the 192.168.100.0/24 behind " & "ip pool" for the dst-subnet and src-subnet
so the traffic would look like the following;
FGT_A-10.18.14.xxx > SNAT-10.80.255.254------------------------->ASA_B:MASKED-addresses:-A.B.C.D----->192.168.100.x
The 1st part would be very easily to do on the FGT side. Your route would also have to point to the MASKED_address that covers the remote subnet at the far-end.
config vpn ipsec phase2-interface
edit "FGT2ASA-P2" set auto-negotiate enable set phase1name "FGT2ASAtunnel" set proposal 3des-sha1 aes128-sha1 set dhgrp 2 set dst-subnet x.x.x.0 255.255.255.0 <-----cisco address that 's used in the 1n1 nat set keylifeseconds 3600 set src-subnet 10.80.255.254 255.255.255.255 <-----FGT address that 's used in the nat-pool & policy next
And in your rt you will have something like the following;
config router static
edit 55 set device "FGT2ASAtunnel" set dst x.x.x.x 255.255.255.0 next
You might want to look at policy-based vpns, they give you some additonal function for overlaps. But the above ideal is what I would do. In the long run this will avoid collisions if any new networks are added. Overlapping subnets can be challenging in a rfc1918 address space.
I hope that's clear and you would have to build that thru the WebGUI.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm......
Since the vpn on fortigateA is initializing the traffic could you apply a ip-pool and assigned to those policies you allow to SNAT the sources but you will also need some VIP for DNAT. A local client on 10.80.14.xxx will need a different dst address to hit in order to route out of the fortigate.
You didn't memention what type of vpn but I would think a rt-based would fail in this case ( how would you route to 192.168.100.x/24 ) with out colliding with the 192.168.100.x interface?
FWIW if site B is a Fortigate :
What i don't understand, "is 10.80.255.254 part of the vpn scope" You could easily apply vip on siteB and do a 1n1 via range
10.80.255.1 >> 192.168.100.1
10.80.255.2 >> 192.168.100.3
10.80.255.3 >> 192.168.100.3
and so on.
So is site B a fortigate? or something else ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site B is a cisco device.
I was thinking about VIP.
we only use 192.168.100.6 in site B.
That's why we only want 1 adres in Site A to nat to.
The problem is: This fortigate 110C on site A is a shared environment.
So I can only use the webinterface.
Could you tell me, how this is aranged in the webinterface ?
there is no device connecting from site a 192.168.100.x to site B. so i think we can use routed based vpn
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is one thing to keep in mind.
I can't change any settings in the cisco.
The only thing I want to translate is 192.168.100.6 to 10.80.255.254.
I made a policy rule which nat 192.168.100.6 to 10.80.255.254 (from vpn to internal) this works as I can see the source adress is changed in wireshark.
The only thing I can't get working is 10.80.255.254 to 192.168.100.6.
I made a virtual IP adress and set it on the VPN interface.
I made a route to 10.80.255.254 to the VPN interface.
But I looks likes the virtual IP is not static natting it to the other side because it wont give me a Reply or any other sevice from getting a reply.
In de log files I can see that the traffic is comming in : I see x.x.x.x to 10.80.255.254 DENY . The destination is not the VPN interface but the virtual Domain.
I don't know why it is not working...
I think there are 2 problems.
1. the virtual ip is not static natting the destination address.
2. It looks like the traffic is blocked
Keep in mind I only want to translate the 192.168.100.6 address. I don't want to translate anyting else... because no one in the 192.168.100.x network on site A will even use this VPN connection.
Please could you put me in the right direction?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is one thing to keep in mind. I can't change any settings in the cisco. The only thing I want to translate is 192.168.100.6 to 10.80.255.254. I made a policy rule which nat 192.168.100.6 to 10.80.255.254 (from vpn to internal) this works as I can see the source adress is changed in wireshark. The only thing I can't get working is 10.80.255.254 to 192.168.100.6. I made a virtual IP adress and set it on the VPN interface. I made a route to 10.80.255.254 to the VPN interface. But I looks likes the virtual IP is not static natting it to the other side because it wont give me a Reply or any other sevice from getting a reply. In de log files I can see that the traffic is comming in : I see x.x.x.x to 10.80.255.254 DENY . The destination is not the VPN interface but the virtual Domain. I don't know why it is not working... I think there are 2 problems. 1. the virtual ip is not static natting the destination address. 2. It looks like the traffic is blocked Keep in mind I only want to translate the 192.168.100.6 address. I don't want to translate anyting else... because no one in the 192.168.100.x network on site A will even use this VPN connection. Please could you put me in the right direction?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do that with one-for-one static nat'ing on the ASA, but what I would on the cisco is something like this but in the reverse.
http://socpuppet.blogspot.com/2014/05/source-nat-based-on-destination-for-vpn.html
And on the fortigate you would source NAT the siteA address behind a ip-pool attached to your fwpolicy(s) and in your vpn-phase2 proxy-ids you install the "cisco ASA address that mask the 192.168.100.0/24 behind " & "ip pool" for the dst-subnet and src-subnet
so the traffic would look like the following;
FGT_A-10.18.14.xxx > SNAT-10.80.255.254------------------------->ASA_B:MASKED-addresses:-A.B.C.D----->192.168.100.x
The 1st part would be very easily to do on the FGT side. Your route would also have to point to the MASKED_address that covers the remote subnet at the far-end.
config vpn ipsec phase2-interface
edit "FGT2ASA-P2" set auto-negotiate enable set phase1name "FGT2ASAtunnel" set proposal 3des-sha1 aes128-sha1 set dhgrp 2 set dst-subnet x.x.x.0 255.255.255.0 <-----cisco address that 's used in the 1n1 nat set keylifeseconds 3600 set src-subnet 10.80.255.254 255.255.255.255 <-----FGT address that 's used in the nat-pool & policy next
And in your rt you will have something like the following;
config router static
edit 55 set device "FGT2ASAtunnel" set dst x.x.x.x 255.255.255.0 next
You might want to look at policy-based vpns, they give you some additonal function for overlaps. But the above ideal is what I would do. In the long run this will avoid collisions if any new networks are added. Overlapping subnets can be challenging in a rfc1918 address space.
I hope that's clear and you would have to build that thru the WebGUI.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand your issues, have you tried diag debug flow ? And have you tried to look at policy-based vpns?
But have issues where you reallyned both DNAT and SNAT.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old one, but it was a big help for me few days ago. Thank you emnoc !!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,693 -
FortiClient
1,762 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.