Hello all,
I have a situation
Site A
subet 192.168.100.x/24
subnet 10.80.14.x/24
Site B
Subnet 192.168.100.x/24
traffic will only be initiated from site A --> 10.80.14.x
The vpn is up and running, but we want to NAT from site A to B.
If a user from site A pings to 10.80.255.254 it must be natted to 192.168.100.6 over the vpn to the other side.
We have all the policies in place.
But it is still not working.
Could someone send me in the right direction?
Which settings do i need to make to change the destination adress 10.80.255.254 natted to 192.168.100.6?
The package should be changed from:
src addr: 10.80.14.x --> dest addr: 10.80.255.254
src addr: 10.80.14.x --> dest addr: 192.168.100.6 (translated on the fortigate)
Thank you very much for spending time !
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You could do that with one-for-one static nat'ing on the ASA, but what I would on the cisco is something like this but in the reverse.
http://socpuppet.blogspot.com/2014/05/source-nat-based-on-destination-for-vpn.html
And on the fortigate you would source NAT the siteA address behind a ip-pool attached to your fwpolicy(s) and in your vpn-phase2 proxy-ids you install the "cisco ASA address that mask the 192.168.100.0/24 behind " & "ip pool" for the dst-subnet and src-subnet
so the traffic would look like the following;
FGT_A-10.18.14.xxx > SNAT-10.80.255.254------------------------->ASA_B:MASKED-addresses:-A.B.C.D----->192.168.100.x
The 1st part would be very easily to do on the FGT side. Your route would also have to point to the MASKED_address that covers the remote subnet at the far-end.
config vpn ipsec phase2-interface
edit "FGT2ASA-P2" set auto-negotiate enable set phase1name "FGT2ASAtunnel" set proposal 3des-sha1 aes128-sha1 set dhgrp 2 set dst-subnet x.x.x.0 255.255.255.0 <-----cisco address that 's used in the 1n1 nat set keylifeseconds 3600 set src-subnet 10.80.255.254 255.255.255.255 <-----FGT address that 's used in the nat-pool & policy next
And in your rt you will have something like the following;
config router static
edit 55 set device "FGT2ASAtunnel" set dst x.x.x.x 255.255.255.0 next
You might want to look at policy-based vpns, they give you some additonal function for overlaps. But the above ideal is what I would do. In the long run this will avoid collisions if any new networks are added. Overlapping subnets can be challenging in a rfc1918 address space.
I hope that's clear and you would have to build that thru the WebGUI.
PCNSE
NSE
StrongSwan
Hmm......
Since the vpn on fortigateA is initializing the traffic could you apply a ip-pool and assigned to those policies you allow to SNAT the sources but you will also need some VIP for DNAT. A local client on 10.80.14.xxx will need a different dst address to hit in order to route out of the fortigate.
You didn't memention what type of vpn but I would think a rt-based would fail in this case ( how would you route to 192.168.100.x/24 ) with out colliding with the 192.168.100.x interface?
FWIW if site B is a Fortigate :
What i don't understand, "is 10.80.255.254 part of the vpn scope" You could easily apply vip on siteB and do a 1n1 via range
10.80.255.1 >> 192.168.100.1
10.80.255.2 >> 192.168.100.3
10.80.255.3 >> 192.168.100.3
and so on.
So is site B a fortigate? or something else ?
PCNSE
NSE
StrongSwan
Site B is a cisco device.
I was thinking about VIP.
we only use 192.168.100.6 in site B.
That's why we only want 1 adres in Site A to nat to.
The problem is: This fortigate 110C on site A is a shared environment.
So I can only use the webinterface.
Could you tell me, how this is aranged in the webinterface ?
there is no device connecting from site a 192.168.100.x to site B. so i think we can use routed based vpn
There is one thing to keep in mind.
I can't change any settings in the cisco.
The only thing I want to translate is 192.168.100.6 to 10.80.255.254.
I made a policy rule which nat 192.168.100.6 to 10.80.255.254 (from vpn to internal) this works as I can see the source adress is changed in wireshark.
The only thing I can't get working is 10.80.255.254 to 192.168.100.6.
I made a virtual IP adress and set it on the VPN interface.
I made a route to 10.80.255.254 to the VPN interface.
But I looks likes the virtual IP is not static natting it to the other side because it wont give me a Reply or any other sevice from getting a reply.
In de log files I can see that the traffic is comming in : I see x.x.x.x to 10.80.255.254 DENY . The destination is not the VPN interface but the virtual Domain.
I don't know why it is not working...
I think there are 2 problems.
1. the virtual ip is not static natting the destination address.
2. It looks like the traffic is blocked
Keep in mind I only want to translate the 192.168.100.6 address. I don't want to translate anyting else... because no one in the 192.168.100.x network on site A will even use this VPN connection.
Please could you put me in the right direction?
There is one thing to keep in mind. I can't change any settings in the cisco. The only thing I want to translate is 192.168.100.6 to 10.80.255.254. I made a policy rule which nat 192.168.100.6 to 10.80.255.254 (from vpn to internal) this works as I can see the source adress is changed in wireshark. The only thing I can't get working is 10.80.255.254 to 192.168.100.6. I made a virtual IP adress and set it on the VPN interface. I made a route to 10.80.255.254 to the VPN interface. But I looks likes the virtual IP is not static natting it to the other side because it wont give me a Reply or any other sevice from getting a reply. In de log files I can see that the traffic is comming in : I see x.x.x.x to 10.80.255.254 DENY . The destination is not the VPN interface but the virtual Domain. I don't know why it is not working... I think there are 2 problems. 1. the virtual ip is not static natting the destination address. 2. It looks like the traffic is blocked Keep in mind I only want to translate the 192.168.100.6 address. I don't want to translate anyting else... because no one in the 192.168.100.x network on site A will even use this VPN connection. Please could you put me in the right direction?
You could do that with one-for-one static nat'ing on the ASA, but what I would on the cisco is something like this but in the reverse.
http://socpuppet.blogspot.com/2014/05/source-nat-based-on-destination-for-vpn.html
And on the fortigate you would source NAT the siteA address behind a ip-pool attached to your fwpolicy(s) and in your vpn-phase2 proxy-ids you install the "cisco ASA address that mask the 192.168.100.0/24 behind " & "ip pool" for the dst-subnet and src-subnet
so the traffic would look like the following;
FGT_A-10.18.14.xxx > SNAT-10.80.255.254------------------------->ASA_B:MASKED-addresses:-A.B.C.D----->192.168.100.x
The 1st part would be very easily to do on the FGT side. Your route would also have to point to the MASKED_address that covers the remote subnet at the far-end.
config vpn ipsec phase2-interface
edit "FGT2ASA-P2" set auto-negotiate enable set phase1name "FGT2ASAtunnel" set proposal 3des-sha1 aes128-sha1 set dhgrp 2 set dst-subnet x.x.x.0 255.255.255.0 <-----cisco address that 's used in the 1n1 nat set keylifeseconds 3600 set src-subnet 10.80.255.254 255.255.255.255 <-----FGT address that 's used in the nat-pool & policy next
And in your rt you will have something like the following;
config router static
edit 55 set device "FGT2ASAtunnel" set dst x.x.x.x 255.255.255.0 next
You might want to look at policy-based vpns, they give you some additonal function for overlaps. But the above ideal is what I would do. In the long run this will avoid collisions if any new networks are added. Overlapping subnets can be challenging in a rfc1918 address space.
I hope that's clear and you would have to build that thru the WebGUI.
PCNSE
NSE
StrongSwan
I understand your issues, have you tried diag debug flow ? And have you tried to look at policy-based vpns?
But have issues where you reallyned both DNAT and SNAT.
PCNSE
NSE
StrongSwan
I know this is an old one, but it was a big help for me few days ago. Thank you emnoc !!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.