Fortinet black logo

Cookbook

Explanation

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:919026
Download PDF

Explanation

Using the two example PCs below, the source and destination NAT that is performed in order to allow these two PCs in overlapping subnets to communicate is explained.

Step 1 – Ping Request: HQ Test PC sends a ping destined for Branch Test PC’s new IP address of 10.2.2.98.

Src IP: 192.168.1.12

Dst IP: 10.2.2.98

Step 2 – Source NAT: The HQ FortiGate receives the ping, and after a route lookup, matches the traffic to firewall policy From-HQ-to-Branch that you created in the "Configuring firewall policies on HQ" section of the recipe.

Since the policy has NAT enabled and the HQ-new IP Pool selected, the HQ FortiGate will perform source NAT on HQ Test PC’s IP address before sending into the IPsec tunnel.

Src IP: 10.1.1.12

Dst IP: 10.2.2.98

Note

When you created an IP Pool with Type of Fixed Port Range, and then selected an External IP Range and Internal IP Range of equal size, the last octet of the IP addresses after SNAT will not change. This means 192.168.1.12 will be changed to 10.1.1.12, which makes using the new address range as simple as possible.

Step 3 – Destination NAT: Branch FortiGate receives the traffic on the IPsec tunnel, and before a policy is matched, the Virtual IP (VIP) you created called Branch-new-to-original performs destination NAT (DNAT).

Note

Similar to our Fixed Port Range IP Pool, a VIP will exactly map the External IP Range to the Mapped IP Range. This means that 10.2.2.98 will DNAT to 192.168.1.98.

After DNAT, a route lookup is performed, and the traffic will match the From-HQ-to-Branch policy that you created in the "Configuring firewall policies on Branch" section of the recipe.

Src IP: 10.1.1.12

Dst IP: 192.168.1.98

Step 4 – Ping Reply: Branch Test PC receives the ping request from HQ Test PC and sends the ping reply back to 10.1.1.12.

The FortiGate is a stateful firewall, and the same firewall policy that was used when the session was initiated will be used on the way back (the From-HQ-to-Branch policy on both FortiGates).

The session table on each FortiGate remembers the SNAT or DNAT that was performed in the "Configuring the IPsec VPN on HQ" section and "Configuring static routes on HQ" section, and will perform the reverse operation on the reply traffic.

Src IP: 192.168.1.98

Dst IP: 10.1.1.12

Explanation

Using the two example PCs below, the source and destination NAT that is performed in order to allow these two PCs in overlapping subnets to communicate is explained.

Step 1 – Ping Request: HQ Test PC sends a ping destined for Branch Test PC’s new IP address of 10.2.2.98.

Src IP: 192.168.1.12

Dst IP: 10.2.2.98

Step 2 – Source NAT: The HQ FortiGate receives the ping, and after a route lookup, matches the traffic to firewall policy From-HQ-to-Branch that you created in the "Configuring firewall policies on HQ" section of the recipe.

Since the policy has NAT enabled and the HQ-new IP Pool selected, the HQ FortiGate will perform source NAT on HQ Test PC’s IP address before sending into the IPsec tunnel.

Src IP: 10.1.1.12

Dst IP: 10.2.2.98

Note

When you created an IP Pool with Type of Fixed Port Range, and then selected an External IP Range and Internal IP Range of equal size, the last octet of the IP addresses after SNAT will not change. This means 192.168.1.12 will be changed to 10.1.1.12, which makes using the new address range as simple as possible.

Step 3 – Destination NAT: Branch FortiGate receives the traffic on the IPsec tunnel, and before a policy is matched, the Virtual IP (VIP) you created called Branch-new-to-original performs destination NAT (DNAT).

Note

Similar to our Fixed Port Range IP Pool, a VIP will exactly map the External IP Range to the Mapped IP Range. This means that 10.2.2.98 will DNAT to 192.168.1.98.

After DNAT, a route lookup is performed, and the traffic will match the From-HQ-to-Branch policy that you created in the "Configuring firewall policies on Branch" section of the recipe.

Src IP: 10.1.1.12

Dst IP: 192.168.1.98

Step 4 – Ping Reply: Branch Test PC receives the ping request from HQ Test PC and sends the ping reply back to 10.1.1.12.

The FortiGate is a stateful firewall, and the same firewall policy that was used when the session was initiated will be used on the way back (the From-HQ-to-Branch policy on both FortiGates).

The session table on each FortiGate remembers the SNAT or DNAT that was performed in the "Configuring the IPsec VPN on HQ" section and "Configuring static routes on HQ" section, and will perform the reverse operation on the reply traffic.

Src IP: 192.168.1.98

Dst IP: 10.1.1.12