FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vjoshi_FTNT
Staff
Staff
Article Id 189473
Description
This article presents two scenarios to explain how to make use of the Source and Destination NAT in a Policy Based VPN.

Scenario 1: Using Source NAT between Site A and Site B.
This scenario illustrates Policy Based VPN between 2 sites and explains how to Source NAT a specific IP in Site A before reaching Site B.  The same logic can be used to Source NAT a whole subnet.

Scenario 2: Traffic hitting on Site A should be forwarded to a specific server on Site B.
This scenario illustrates how to use Destination NAT in a policy based VPN.

Solution
Scenario 1: Using Source NAT between Site A and Site B.

This scenario illustrates Policy Based VPN between 2 sites and explains how to Source NAT a specific IP in Site A before reaching Site B.  The same logic can be used to Source NAT a whole subnet.

Topology

vjoshi_FD37522_tn_FD37522-1.jpg

Site A Setup:

WAN IP : 10.0.18.25
LAN IP : 10.129.0.25/23

Local IP which should be Natted: 10.129.0.24 (with 20.20.20.20)
config vpn ipsec phase1
    edit "VPN_To_Atl36"
        set interface "port1"
        set proposal des-md5 des-sha1
        set remote-gw 10.0.18.45
    next
end
config vpn ipsec phase2 
       edit "Phase2"
         set phase1name "VPN_To_Atl36"
         set proposal des-md5 des-sha1
         set use-natip disable 
end

No selectors are shown in this phase2, which means it has 0.0.0.0/0 selected as quick mode selectors.

Address Objects

Create Address objects for ’10.129.0.24/32’  ‘10.129.0.0/23’ and ’10.130.0.0/23’.

Firewall Policies

Two Firewall policies are needed:
config firewall policy
  edit 2
        set srcintf "port2"
        set dstintf "port1"
            set srcaddr "10.129.0.24"
            set dstaddr "Remote_LAN_10.130"
        set action ipsec
        set schedule "always"
            set service "ANY"
        set natip 20.20.20.20 255.255.255.255
        set inbound enable
        set outbound enable
        set natoutbound enable
        set vpntunnel "VPN_To_Atl36"
  next

  edit 3
        set srcintf "port2"
        set dstintf "port1"
            set srcaddr "LAN_10.129.0.0"
            set dstaddr "Remote_LAN_10.130"
        set action ipsec
        set schedule "always"
            set service "ANY"
        set inbound enable
        set outbound enable
        set vpntunnel "VPN_To_Atl36"
  next
end
Site B Setup:

WAN IP : 10.0.18.45
LAN IP : 10.130.0.45/23

VPN configuration
config vpn ipsec phase1
    edit "VPN_To_Atl_16"
        set interface "port1"
        set remote-gw 10.0.18.25
   end

config vpn ipsec phase2
    edit "Phase2"
        set phase1name "VPN_To_Atl_16"
    next
end
Address Objects

Create Address objects for ’20.20.20.20/32’, ‘10.129.0.0/23’ and ’10.130.0.0/23’.

Firewall Policies
config firewall policy
    edit 3
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "Local_10.130"
        set dstaddr "20.20.20.20"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set inbound enable
        set outbound enable
        set vpntunnel "VPN_To_Atl_16"
    next
    edit 4
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "Local_10.130"
        set dstaddr "Remote_10.129"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set inbound enable
        set outbound enable
        set vpntunnel "VPN_To_Atl_16"
    next
end

Once the above is done, whenever the source ’10.129.0.24’ tries to access the remote 10.130.0.0/23, it will be natted to ’20.20.20.20’.

Any other IP from the same subnet ’10.129.0.0’ will use their own IP without any NAT.


Scenario 2: Traffic hitting on Site A should be forwarded to a specific server on Site B.

This scenario illustrates how to use Destination NAT in a policy based VPN.

Topology

vjoshi_FD37522_tn_FD37522-2.jpg

Site A Setup

WAN IP : 10.0.18.25
Free WANIP : 10.0.18.11
LAN IP : 10.129.0.25/23

Create Address Objects for Local and Remote subnets.

VPN configuration
config vpn ipsec phase1
    edit "VPN_to_Atl_36"
        set interface "port1"
        set remote-gw 10.0.18.45
    next
end
config vpn ipsec phase2
    edit "VPN_to_Atl_36"
        set phase1name "VPN_to_Atl_36"
        set use-natip disable
        set pfs disable
        set replay disable
    next
end

VIP
config firewall vip
    edit "VIP"
        set extip 10.0.18.11
        set extintf "port1"
        set portforward enable
        set mappedip "10.130.0.44"
        set extport 8080
        set mappedport 8080
    next
end

A one-one NAT can be used without port forwarding as well (depends on the requirement).

Firewall policies

config firewall policy
    edit 2
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "Internal_10.129"
        set dstaddr "Remote_10.130"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set inbound enable
        set outbound enable
        set vpntunnel "VPN_to_Atl_36"
    next

edit 3
        set srcintf "port1"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "VIP"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set natip 10.0.18.11 255.255.255.255
        set inbound enable
        set outbound enable
        set natoutbound enable
        set vpntunnel "VPN_to_Atl_36"
    next
end

DEBUG

How the tunnel and traffic should look when the debug commands are run:
SiteA # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_to_Atl_36 ver=1 serial=1 10.0.18.25:0->10.0.18.45:0 lgwy=static tun=tunnel mode=auto bound_if=2
proxyid_num=1 child_num=0 refcnt=9 ilast=0 olast=0
stat: rxp=42 txp=90 rxb=4928 txb=4904
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=1487
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_to_Atl_36 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA: ref=3 options=0000004c type=00 soft=0 mtu=1438 expire=40758/0B replaywin=0 seqno=29
  life: type=01 bytes=0/0 timeout=43151/43200
  dec: spi=9af30383 esp=aes key=16 9699fa30efc110c9cc335b23806a731d
       ah=sha1 key=20 6cf7508c489d4d8fe71a514dd2136945375771f0
  enc: spi=103b3c89 esp=aes key=16 cbf7c9c4d2516b12a73b88918f4eb153
       ah=sha1 key=20 ad171e92b5d5b75a831861ebe401f40991cf2185
  dec:pkts/bytes=23/1200, enc:pkts/bytes=40/4928

Debug Flow on the Site A
id=20085 trace_id=65 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 172.26.73.11:50798->10.0.18.11:8080) from port1. flag [S], seq 1398181761, ack 0, win 8192"
id=20085 trace_id=65 func=init_ip_session_common line=4569 msg="allocate a new session-0000151a"
id=20085 trace_id=65 func=fw_pre_route_handler line=176 msg="VIP-10.130.0.44:8080, outdev-port1"
id=20085 trace_id=65 func=__ip_session_run_tuple line=2564 msg="DNAT 10.0.18.11:8080->10.130.0.44:8080"
id=20085 trace_id=65 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.0.19.254 via port1"
id=20085 trace_id=65 func=fw_forward_handler line=671 msg="Allowed by Policy-3: encrypt SNAT"
id=20085 trace_id=65 func=__ip_session_run_tuple line=2550 msg="SNAT 172.26.73.11->10.0.18.11:50798"
id=20085 trace_id=65 func=ipsec_tunnel_output4 line=868 msg="enter IPsec tunnel-VPN_to_Atl_36"
id=20085 trace_id=65 func=ipsec_output_finish line=232 msg="send to 10.0.18.45 via intf-port1"
id=20085 trace_id=65 func=esp_output4 line=897 msg="encrypting, and send to 10.0.18.45 with source 10.0.18.25"

It can be seen that the traffic hits the Site A’s VIP and the FortiGate forwards it to the remote site by natting the source to 10.0.18.11.

This is recommended, because the VIP is allowing everyone on the Internet and instead of allowing the complete internet, only a single IP is needed to be allowed on the Site B.

Site B Setup

WAN IP : 10.0.18.45
LAN IP : 10.130.0.45/23

Address Objects

Create Address Objects for Local and Remote subnets.

VPN Configuration
config vpn ipsec phase1
    edit "VPN_To_Atl_16"
        set interface "port1"
        set remote-gw 10.0.18.25
        next
     end

config vpn ipsec phase2
    edit "VPN_To_Atl_16"
        set phase1name "VPN_To_Atl_16"
        set pfs disable
        set replay disable
    next
end
Firewall policy
config firewall policy
    edit 6
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "Local_10.130"
        set dstaddr "Remote_10.129" "10.0.18.11"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set inbound enable
        set outbound enable
        set vpntunnel "VPN_To_Atl_16"
    next

DEBUG

How the tunnel and traffic should look when the debug commands are run:
atlantis-svb36 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_To_Atl_16 ver=1 serial=2 10.0.18.45:0->10.0.18.25:0 lgwy=static tun=tunnel mode=auto bound_if=2proxyid_num=1 child_num=0 refcnt=7 ilast=1 olast=1
stat: rxp=90 txp=42 rxb=10992 txb=2332
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=1551
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_To_Atl_16 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA: ref=3 options=0000000c type=00 soft=0 mtu=1438 expire=40739/0B replaywin=0 seqno=18
  life: type=01 bytes=0/0 timeout=43174/43200
  dec: spi=103b3c89 esp=aes key=16 cbf7c9c4d2516b12a73b88918f4eb153
       ah=sha1 key=20 ad171e92b5d5b75a831861ebe401f40991cf2185
  enc: spi=9af30383 esp=aes key=16 9699fa30efc110c9cc335b23806a731d
       ah=sha1 key=20 6cf7508c489d4d8fe71a514dd2136945375771f0
  dec:pkts/bytes=40/2212, enc:pkts/bytes=23/2616

Debug Flow on the Site A

2015-09-30 02:29:50 id=20085 trace_id=406 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.0.18.11:51279->10.130.0.44:8080) from port1. flag [S], seq 1577468677, ack 0, win 8192"
2015-09-30 02:29:50 id=20085 trace_id=406 func=init_ip_session_common line=4569 msg="allocate a new session-000003cc"
2015-09-30 02:29:50 id=20085 trace_id=406 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.130.0.44 via port2"
2015-09-30 02:

Contributors