Unidirectional NAT through IPSEC tunnel.

Author
daniyal@77
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/13 10:10:51
  • Status: offline
2020/01/28 14:37:06 (permalink)
0

Unidirectional NAT through IPSEC tunnel.

Hi All,
We have configured an interface based VPN to the remote client (Palo Alto FW). Tunnel is up and working fine.
Now the customer has asked to implement NAT for all of my subnets currently connected to my Fortigate (including the Dialup vpn users subnet).
 
Like the sources (prod,Training, Dialup vpn users) to be NATed to a single IP (172.16.100.x/32) and then go to IPSec tunnel, on the remote side only single IP is visible to them (i.e 172.16.100.x/32)
 
As the traffic is only unidirectional, so i am following the solution provided on this KB:
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33885&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=129474053&stateId=0%200%20168934167%27)
 
Now, my question is that, i've different subnets like 172.16.10.x/24 ,10.10.10.x/24  and Dialup subnet (10.80.10.x/24)
and i want to NAT it to single IP, you can say 172.16.100.x/32 . so that remote side can see only one IP, is this possible?
 
the second question is this, do i need to change my current Route-based vpn in order to implement above requiremnet by selecting the Post-NAT Ip in phase 2 selectors or do i need to create a new Policy-based VPN to implement the scenario mentioned above?
#1

4 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5508
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Unidirectional NAT through IPSEC tunnel. 2020/01/28 14:49:38 (permalink)
    5 (1)
    Q1 yes
     
    Q2 yes
     
    Put the POST_NAT address in the phase2 settings. I do this in a FGT-2-SRX
     
    config firewall policy
    edit 89
    set name "fgt2-branchSRX345"
    set srcintf "internal"
    set dstintf "FGT2BRANCHSRXSCHOOL_SYS"
    set srcaddr "192.168.1.0" "192.168.4.0" "192.168.11.0"
    set dstaddr "LOCAL_SUBNET"
    set action accept
    set schedule "always"
    set service "ALL"
    set ippool enable
    set poolname "SRXremoteofcSYS"
    set nat enable
     
    The address of "SRXremoteofcSYS" is my phase2 local-subnet for IPSEC-PH2 traffic selectors.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    daniyal@77
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/13 10:10:51
    • Status: offline
    Re: Unidirectional NAT through IPSEC tunnel. 2020/01/28 15:06:17 (permalink)
    0
    Thanks Ken,
    Please clarify one thing regarding Q2: is the 'yes' count for Route-Based VPN or it counts for Policy-Based VPN.
    Apologies for my dumbness :D
     
    #3
    emnoc
    Expert Member
    • Total Posts : 5508
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Unidirectional NAT through IPSEC tunnel. 2020/01/28 15:20:16 (permalink)
    0
    route base
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #4
    daniyal@77
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/13 10:10:51
    • Status: offline
    Re: Unidirectional NAT through IPSEC tunnel. 2020/01/28 15:21:59 (permalink)
    0
    Thank you so much Ken,
    Appreciate it 
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5