Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gman
New Contributor

Created on ‎08-18-2015 06:35 AM

VPN with local addresses NAT'd to WAN1?

Hi

 

I'm trying to migrate from a Cisco VPN router to a Fortigate FW.  There is a VPN already configured which I need to move over to the Fortigate.  The set up is a bit strange.  On the remote end the config is pretty standard, they use a private IP range for their encryption domain.  But on the Fortigate I will have to NAT all the local private IPs to the Fortigate WAN1 IP and then encrypt traffic from WAN1 IP address through the tunnel.  Will this work?  I set up my policy using the wizard but wonder if I will need another policy to do the NAT to WAN1?  Thanks in advance for any advice!

 

Thanks

G

5102
0 Kudos
6 REPLIES 6
FortiAdam
Contributor II

Created on ‎08-25-2015 09:43 AM

Yes you can do that by enabling SNAT with an IP-Pool on your internal > VPN firewall policy.  

 

The IP Pool you create will need to be configured to use the wan1 IP address.  

 

 

2538
0 Kudos
vjoshi_FTNT
Staff
Staff

Created on ‎08-26-2015 12:18 AM

Hello,

 

May I know the firmware version on the device?

 

Below KB article should help you:

 

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=12050

 

Also, the VPN handbook available at 'docs.fortinet.com' can also happen if it is newer version and the document explains different scenarios.

2538
0 Kudos
Gman
New Contributor
In response to vjoshi_FTNT

Created on ‎08-28-2015 02:50 AM

Hi

 

Thanks for your help.  The firmware version is v5.2.3,build670.

 

Currently I have a NAT for all users to WAN1 for general Internet access.

I have created the VPN through the wizard and specified WAN1 as the local subnet and the private network of the remote side as the remote network.  Does that sound right?

 

Thanks

2538
0 Kudos
FortiAdam
Contributor II

Created on ‎08-28-2015 09:09 AM

Yes you're on the right track but you need to verify your policy for Lan > VPN has NAT enabled and is using the correct IP-Pool.

 

I'm not sure if the wizard has the option to set this up but you should be able to easily tweak the settings after using the wizard.

2538
0 Kudos
vjoshi_FTNT
Staff
Staff

Created on ‎08-31-2015 04:55 AM

Here, in your case, it is many to one NAT. As mentioned in earlier post, make sure you select the IPpool which represents the WAN1 IP which you want the traffic to be natted with in the Firewall policy LAN to VPN

 

2538
0 Kudos
Gman
New Contributor
In response to vjoshi_FTNT

Created on ‎10-28-2015 09:47 AM

Hi

It's been a while since I visited this but I tried to connect up the new Fortigate and this VPN still isn't working!

 

I have doublechecked the old settings copied over from the Cisco.  I now have two policies configured which are as follows:

 

Internal->VPN - 'src' = private IPs natted to WAN IP - 'dst' = remote IP network

WAN1->VPN - 'src' = WAN IP - 'dst' = remote IP network

 

Tried doing some debugs and all I see is 'sent IKE msg (R-U-THERE-ACK)' sent from my IP to the remote peer?

 

Anyone have any ideas please?

2538
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.