Configure FortiAnalyzer over IPSEC with NAT
I have a situation trying to get a branch FortiGate to send logs to FortiAnalyzer behind a hub FortiGate across an IPsec tunnel. Setting the system 'source-ip' of the branch FortiGate doesn't resolve the problem in this particular case due to some unavoidable, additional complexity.
FortiAnalyzer (10.1.1.10) ---
LAN (10.1.1.0/24) --- Hub FortiGate (Ins. 10.1.1.1, Outs. 184.108.40.206)
((( --- IPsec VPN TUNNEL ---)))
Branch FortiGate (Outs. 220.127.116.11, Ins. 172.20.0.1) --- LAN (172.20.0.0/24)
The complexity is that I am required to translate the Branch LAN IPs from 172.20.0.0/24 to 18.104.22.168/24. All traffic sent from the Hub LAN to the Branch LAN is destined for 172.10.0.x and is translated by the Branch FortiGate to 172.20.0.x with DNAT. All traffic sent from the Branch LAN to the Hub LAN is destined for 10.1.1.x and appears to be sent by 172.10.0.x (not 172.20.0.x).
The translations work correctly and in both directions. The problem is getting the Branch FortiGate (172.20.0.1) to talk to FortAnalyzer (10.1.1.10). I have set the internal 'source-ip' for FortiAnalyzer on the Branch FortiGate to 172.20.0.1 - works on my other FortiGates NOT USING NAT, but doesn't work here. All pings fail from CLI to 10.1.1.0/24. I have tried setting it to 22.214.171.124, but the change results in a CLI error. I can access the Branch FortiGate's GUI at 126.96.36.199 from 10.1.1.0/24, so the DNAT config is doing its job there.
How do I get the system 'source-ip' to use the NAT config I have in place?
(Removing NAT is not an option).
(On an additional note, I've also found that SNMP requests from the HUB's LAN are failing to reach the Branch's LAN over the VPN tunnel. SSH and ICMP work fine between the LANs, and my policies allow any/all services across the VPN tunnel. Not sure if this is related, or a completely separate problem.)
post edited by NickBurns - 2019/08/27 07:16:16