I'm working on a case where I have to replace a current IPsec tunnel with Fortigate HW, where the traffic should be NAT'ed in both directions (i've addad a network drawing for clarification).
- I have simplified WAN IP addressing for my lab
- SITE B is managed by another company
- Traffic to SITE B is directed to the public IP address (DNAT by firewall B), and only accepted from public range on SITE A (SNAT by firewall A)
- Traffic from SITE B is delivered on the public IP address of SITE A and should be NAT'ed to internal (DNAT)
- 10.200.0.100 delivers a print job to 10.0.0.11, port 10000
- FortiGate in SITE A should DNAT the traffic to 10.100.0.200, port 9100
I am unable to get the DNAT into SITE A working. I've tried both Policy-based IPsec and Route-based IPsec.
- With Policy-based IPsec I am unable to select the IPsec tunnel on a policy with WAN as source and LAN as destination (IPsec selection list is empty), only the other way. I have referred to https://kb.fortinet.com/kb/documentLink.do?externalID=FD37522 scenario 2 , although the VIP should not be wan-wan in my case but wan-lan.
- With Route-based IPsec I can't get it done to pass the traffic to 10.0.0.11 and have the firewall take care of the VIP. I keep getting policy violations where the traffic is recognized as coming from WAN instead of the IPsec tunnel.
I was hoping that someone might help in this matter! Thanks in advance.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.