Hello Guys,
I would like to know if it’s possible to use SNAT for an IPsec tunnel. Currently, there are a few IP addresses that are already publicly NATted. However, since I’m setting up a new VPN tunnel with the vendor, I would like to use different IP addresses for NATting. How can I accomplish this? I am aware that there are already VIPs available. Can I create another VIP for the existing VIP and assign it a different NAT IP address, and then use it in the IPsec policy? If I do this, will it affect any existing NAT traffic that is already functioning?
Thank you.
Yeah very much, lots of deployments already especially banks that NAT on their IPSec tunnels to their partners
To help in mgmt, i’d recommend enabling Central NAT especially if you plan to have a lot of NAT statements (though highly optional). Just help keep things tidy
Here’s a documentation i often refer to: Site-to-site VPN with overlapping subnets document from Fortinet to serve as an example use case of NAT being used in tunnels https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/426761/site-to-site-vpn-with-overlapping-subnets
NAT pool or assign p2p IPs on IPSec tunnel and NAT to interface. The remote sides P2 selectors will need to reflect the NATed address
Central NAT is the devil.
Absolutely not. Central NAT is the only choice if you value your time and have a somewhat complex environment regarding NAT.
Disagree with you unfortunately, if you look at other firewalls brands. Personally have worked (and still currently am) working with Palo Alto, CheckPoint and Cisco ASA. They have a separate NAT Policy/Table to configure NAT and imo is the best way to implement NAT
One advantage FortiGate is with NAT is how EASY it is. Just a CLICK and poof! you’ve got internet. But if your an enterprise that have a lot of NAT statements, having them separate is a lifesaver. Basically a dumb down version of the NAT Table
I honestly wish Fortinet implements central NAT in the coming future to look like actualy NAT Policy Tables like other Firewalls (instead of separating them – separate for SNAT, and another for DNAT) but hey, you cant have everything. While of course still keeping the dumb down version available
Central NAT had limitations before; but since v6.4 it’s been all good. Support for IPv6, complete SNAT, and DNAT (pre v5.4, you can ONLY do SNAT)
Central NAT is for Checkpoint engineers to understand Fortigate
Central NAT is more or less the standard everywhere else. Fortinet is the outlier here and their default way of doing NAT doesn’t scale well at all.
Like I said, if you don’t value your time or have a simple environment continue not using Central NAT.