IPSec tunnel with Policy-Based NAT on Fortigate

First, here is the highlevel diagram

Drawing1

The requirements are:

1. Establish IPSec VPN Tunnel between Fortigate and Cisco ASA

2. Translate the Source IP address to 10.153.153.0/24 when 10.100.100.0/24 connect to 172.24.200.0/24 via the IPSec tunnel.

3. Do not translate 172.24.200.0/24 when connect to 10.153.153.0/24 via IPSec tunnel.

With end using ASA, this is just a standard IPSec tunnel setup. Even replace the Fortigate with an ASA, the configuration is fairly straight forward. But with Fortigate, it is a little bit tricky, at least at the very beginning. Because there is no GUI configuration option in my FortiOS 5.2 to create such tunnel. So I have to start from CLI.

Here below are the configuration put onto the Fortigate.

config firewall address
edit "LocalSubnet-RealIP-1"
set associated-interface "LAN"
set subnet 10.100.100.1 255.255.255.0
next
edit "LocalSubnet-RealIP-2"
set associated-interface "LAN"
set subnet 10.100.100.2 255.255.255.0
next
edit "RemoteSubnet"
set subnet 172.24.200.0 255.255.255.0
next
end

config vpn ipsec phase1
edit "Tunnel4Test"
set interface "WAN"
set nattraversal disable
set proposal aes128-sha1 3des-sha1
set dhgrp 5 2
set remote-gw 204.204.204.18
set psksecret ENC YHbmejTH3Doryywk/KkQZ+qWXBEOP1RScs+ewjBmhzXcTguEdmuKsW8g==
next
end

config vpn ipsec phase2
edit "Tunnel4TestP2"
set phase1name "Tunnel4Test"
set use-natip disable
set proposal aes128-sha1
set pfs disable
set keepalive enable
set auto-negotiate enable
set src-addr-type ip
set dst-addr-type ip
set src-subnet 10.153.153.0 255.255.255.0
set dst-subnet 172.24.200.0 255.255.255.0
next
end

config firewall policy
edit 1
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-1"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip 10.153.153.1 255.255.255.255
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
next
edit 2
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-2"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip 10.153.153.2 255.255.255.255
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
next
end

 
Once the initial configuration is done on Fortigate, you can then modify the settings from GUI.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s