- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VPN site to Site with overlap subnet Nat 1 address
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN site to Site with overlap subnet Nat 1 address
Hello all,
I have a situation
Site A
subet 192.168.100.x/24
subnet 10.80.14.x/24
Site B
Subnet 192.168.100.x/24
traffic will only be initiated from site A --> 10.80.14.x
The vpn is up and running, but we want to NAT from site A to B.
If a user from site A pings to 10.80.255.254 it must be natted to 192.168.100.6 over the vpn to the other side.
We have all the policies in place.
But it is still not working.
Could someone send me in the right direction?
Which settings do i need to make to change the destination adress 10.80.255.254 natted to 192.168.100.6?
The package should be changed from:
src addr: 10.80.14.x --> dest addr: 10.80.255.254
src addr: 10.80.14.x --> dest addr: 192.168.100.6 (translated on the fortigate)
Thank you very much for spending time !
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do that with one-for-one static nat'ing on the ASA, but what I would on the cisco is something like this but in the reverse.
http://socpuppet.blogspot.com/2014/05/source-nat-based-on-destination-for-vpn.html
And on the fortigate you would source NAT the siteA address behind a ip-pool attached to your fwpolicy(s) and in your vpn-phase2 proxy-ids you install the "cisco ASA address that mask the 192.168.100.0/24 behind " & "ip pool" for the dst-subnet and src-subnet
so the traffic would look like the following;
FGT_A-10.18.14.xxx > SNAT-10.80.255.254------------------------->ASA_B:MASKED-addresses:-A.B.C.D----->192.168.100.x
The 1st part would be very easily to do on the FGT side. Your route would also have to point to the MASKED_address that covers the remote subnet at the far-end.
config vpn ipsec phase2-interface
edit "FGT2ASA-P2" set auto-negotiate enable set phase1name "FGT2ASAtunnel" set proposal 3des-sha1 aes128-sha1 set dhgrp 2 set dst-subnet x.x.x.0 255.255.255.0 <-----cisco address that 's used in the 1n1 nat set keylifeseconds 3600 set src-subnet 10.80.255.254 255.255.255.255 <-----FGT address that 's used in the nat-pool & policy next
And in your rt you will have something like the following;
config router static
edit 55 set device "FGT2ASAtunnel" set dst x.x.x.x 255.255.255.0 next
You might want to look at policy-based vpns, they give you some additonal function for overlaps. But the above ideal is what I would do. In the long run this will avoid collisions if any new networks are added. Overlapping subnets can be challenging in a rfc1918 address space.
I hope that's clear and you would have to build that thru the WebGUI.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm......
Since the vpn on fortigateA is initializing the traffic could you apply a ip-pool and assigned to those policies you allow to SNAT the sources but you will also need some VIP for DNAT. A local client on 10.80.14.xxx will need a different dst address to hit in order to route out of the fortigate.
You didn't memention what type of vpn but I would think a rt-based would fail in this case ( how would you route to 192.168.100.x/24 ) with out colliding with the 192.168.100.x interface?
FWIW if site B is a Fortigate :
What i don't understand, "is 10.80.255.254 part of the vpn scope" You could easily apply vip on siteB and do a 1n1 via range
10.80.255.1 >> 192.168.100.1
10.80.255.2 >> 192.168.100.3
10.80.255.3 >> 192.168.100.3
and so on.
So is site B a fortigate? or something else ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site B is a cisco device.
I was thinking about VIP.
we only use 192.168.100.6 in site B.
That's why we only want 1 adres in Site A to nat to.
The problem is: This fortigate 110C on site A is a shared environment.
So I can only use the webinterface.
Could you tell me, how this is aranged in the webinterface ?
there is no device connecting from site a 192.168.100.x to site B. so i think we can use routed based vpn
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is one thing to keep in mind.
I can't change any settings in the cisco.
The only thing I want to translate is 192.168.100.6 to 10.80.255.254.
I made a policy rule which nat 192.168.100.6 to 10.80.255.254 (from vpn to internal) this works as I can see the source adress is changed in wireshark.
The only thing I can't get working is 10.80.255.254 to 192.168.100.6.
I made a virtual IP adress and set it on the VPN interface.
I made a route to 10.80.255.254 to the VPN interface.
But I looks likes the virtual IP is not static natting it to the other side because it wont give me a Reply or any other sevice from getting a reply.
In de log files I can see that the traffic is comming in : I see x.x.x.x to 10.80.255.254 DENY . The destination is not the VPN interface but the virtual Domain.
I don't know why it is not working...
I think there are 2 problems.
1. the virtual ip is not static natting the destination address.
2. It looks like the traffic is blocked
Keep in mind I only want to translate the 192.168.100.6 address. I don't want to translate anyting else... because no one in the 192.168.100.x network on site A will even use this VPN connection.
Please could you put me in the right direction?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is one thing to keep in mind. I can't change any settings in the cisco. The only thing I want to translate is 192.168.100.6 to 10.80.255.254. I made a policy rule which nat 192.168.100.6 to 10.80.255.254 (from vpn to internal) this works as I can see the source adress is changed in wireshark. The only thing I can't get working is 10.80.255.254 to 192.168.100.6. I made a virtual IP adress and set it on the VPN interface. I made a route to 10.80.255.254 to the VPN interface. But I looks likes the virtual IP is not static natting it to the other side because it wont give me a Reply or any other sevice from getting a reply. In de log files I can see that the traffic is comming in : I see x.x.x.x to 10.80.255.254 DENY . The destination is not the VPN interface but the virtual Domain. I don't know why it is not working... I think there are 2 problems. 1. the virtual ip is not static natting the destination address. 2. It looks like the traffic is blocked Keep in mind I only want to translate the 192.168.100.6 address. I don't want to translate anyting else... because no one in the 192.168.100.x network on site A will even use this VPN connection. Please could you put me in the right direction?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do that with one-for-one static nat'ing on the ASA, but what I would on the cisco is something like this but in the reverse.
http://socpuppet.blogspot.com/2014/05/source-nat-based-on-destination-for-vpn.html
And on the fortigate you would source NAT the siteA address behind a ip-pool attached to your fwpolicy(s) and in your vpn-phase2 proxy-ids you install the "cisco ASA address that mask the 192.168.100.0/24 behind " & "ip pool" for the dst-subnet and src-subnet
so the traffic would look like the following;
FGT_A-10.18.14.xxx > SNAT-10.80.255.254------------------------->ASA_B:MASKED-addresses:-A.B.C.D----->192.168.100.x
The 1st part would be very easily to do on the FGT side. Your route would also have to point to the MASKED_address that covers the remote subnet at the far-end.
config vpn ipsec phase2-interface
edit "FGT2ASA-P2" set auto-negotiate enable set phase1name "FGT2ASAtunnel" set proposal 3des-sha1 aes128-sha1 set dhgrp 2 set dst-subnet x.x.x.0 255.255.255.0 <-----cisco address that 's used in the 1n1 nat set keylifeseconds 3600 set src-subnet 10.80.255.254 255.255.255.255 <-----FGT address that 's used in the nat-pool & policy next
And in your rt you will have something like the following;
config router static
edit 55 set device "FGT2ASAtunnel" set dst x.x.x.x 255.255.255.0 next
You might want to look at policy-based vpns, they give you some additonal function for overlaps. But the above ideal is what I would do. In the long run this will avoid collisions if any new networks are added. Overlapping subnets can be challenging in a rfc1918 address space.
I hope that's clear and you would have to build that thru the WebGUI.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand your issues, have you tried diag debug flow ? And have you tried to look at policy-based vpns?
But have issues where you reallyned both DNAT and SNAT.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old one, but it was a big help for me few days ago. Thank you emnoc !!
Related Posts
- Dial-up IPsec tunnels with same source... 585 Views
- ipv6 - internal lan interface cannot... 258 Views
- Connecting Two SIP Trunks with Different... 255 Views
- Trouble Receiving DHCP Packet Over S2S... 262 Views
- Guide Tecnical Tip - How to... 248 Views
Labels
-
FortiGate
6,482 -
FortiClient
1,293 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
330 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
86 -
FortiCloud Products
82 -
FortiToken
69 -
IPsec
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSL SSH inspection
5 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.