Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gateberg77
New Contributor II

Created on ‎05-16-2023 04:25 AM

Fortigate 40F Policy Based S2S with Source NAT

Hello,

i am trying to setup a VPN Site2Site connection, policy based with source NAT.

 

Fortigate 40F, v7.2.4

The target network is a customer network and cannot be configured.

 

I'm basically following the tutorial in this article (Scenario A)

https://community.fortinet.com/t5/FortiGate/Technical-Note-Policy-Based-IPsec-VPN-Using-Source-NAT-a...

 

The topology looks like this (where SiteB is Customer), and the NATting should only be done for the 10.129.0.24 IP Address (in my case, cus_local_subnet_1)

Screenshot 2023-05-16 at 13.00.55.png

Despite the article instructions, i'm doing the configuration from the Web Interface.

 

The VPN Tunnel is up and running for Phase 1 and Phase 2:

 

Screenshot 2023-05-16 at 13.09.12.png

 The problem starts, when i want to configure the Firewall policy. If i check "IPSec" in the policy, i loose the option to setup the IP Pool for Nating.

Screenshot 2023-05-16 at 13.04.03.png

 

On the other hand, if i choose "ACCEPT", i can choose the Nating, but i cannot set IPSEC on the policy.

 

Screenshot 2023-05-16 at 13.06.08.png

 

The article does not state how to handle this scenario, with the CLI it seems it can be defined:

 

Screenshot 2023-05-16 at 13.20.04.png

 

How can i bind the IPPool and NAT by also using the IPSEC in the policy?

 

 

Labels:
955
0 Kudos
5 REPLIES 5
AEK
Honored Contributor II

Created on ‎05-16-2023 06:41 AM Edited on ‎05-16-2023 06:42 AM

Hi Gateberg

  1. Try to do it with CLI. Many features available with CLI can't be done with GUI
  2. Article is old, it may be related to FortiOS 5.x. Many commands and methods change between 5.x and 7.2.x. So you can find the right method in FGT 7.2 admin guide
AEK
AEK
934
0 Kudos
gfleming
Staff
Staff

Created on ‎05-16-2023 02:14 PM

Is there a reason you are you using policy-based ipsec? Can you use route-based?

 

When using route-based you can just create a basic fw policy with SNAT applied for that one device.

Cheers,
Graham
904
0 Kudos
gateberg77
New Contributor II

Created on ‎05-17-2023 02:59 AM

Route based is not possible, we cannot make changes on the customer site.

 

Maybe the issue starts earlier, as i cannot see any traffic on the tunnel:

Screenshot 2023-05-17 at 11.56.56.png

876
0 Kudos
saneeshpv_FTNT
Staff
Staff
In response to gateberg77

Created on ‎05-17-2023 04:25 AM

You may try to use Central NAT for such scenario which will separate NAT from Firewall rules. But this change has to be planned if you are already using NAT in the Firewall rules. 

867
0 Kudos
gfleming
Staff
Staff
In response to gateberg77

Created on ‎05-17-2023 09:32 AM

AFAIK route-based vs policy-based is a local construct on the FGT. It's just two different ways of configuring the IPSec tunnel. The remote side does not care what you are using. It's just typically a much easier way to manage and configure the IPSec tunnel on the FGT.

Cheers,
Graham
853
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.