topic Re: Nat inside VPN tunnel to Fortigate in Firewall and Security Management

Nat inside VPN tunnel to Fortigate

nooni — Mon, 20 Oct 2025 13:07:45 GMT

I am trying to do NAT translation inside the VPN tunnel and i cant wrap my head around this configuration.

The topology looks like this:

In the Encryption Domain on the Check Point i have 192.168.18.10 and 192.168.20.0/28

So server 192.168.18.10 should communicate with 10.10.13.1, which in turn is translated on the Fortigate side to 10.10.12.10.

First issue, Check Point will not route packet over VPN tunnel when i have 192.168.20.0/28 in the EncDom.

If i put 192.168.20.0/28, which i did for a test the phase2 fails, because of course this net is not on the other side really.

NAT is enabled in the community.

I need some suggestions on how to think here

Re: Nat inside VPN tunnel to Fortigate

CaseyB — Mon, 20 Oct 2025 13:50:53 GMT

I believe this is the NAT rule you are looking for if I am following you correctly.

Re: Nat inside VPN tunnel to Fortigate

nooni — Mon, 20 Oct 2025 14:44:38 GMT

I would like the 192.168.18.10 server communicate with IP address 192.168.20.1 and not directly with 10.10.13.1 therefore the NAT table looks a bit weird.

So SRC 192.168.18.10 sends traffic to IP 192.168.20.1 and then this traffic gets translated to 10.10.13.1 so i do not have to use 10.10.13.1 in my local network

Re: Nat inside VPN tunnel to Fortigate

CaseyB — Mon, 20 Oct 2025 14:45:08 GMT

The firewall needs to have a route for 192.168.20.1 somewhere if you want it to be a destination, so it would have to be in the encryption domain on the Fortigate side, but then you'd be doing the NAT translation on the Fortigate side.

What problem are you trying to solve here?

Re: Nat inside VPN tunnel to Fortigate

Lesley — Mon, 20 Oct 2025 16:42:30 GMT

you need to change the source ip in the nat rule also as stated before.

the 192.168.20.1 is floating IP and should be attached to fw with proxy arp.

both real local ip range + local NAT pool should be in local encr domain. You only need to add NAT pool of fortigate in remote peer enc domain, no need for you to know the real ip range there.

Re: Nat inside VPN tunnel to Fortigate

the_rock — Mon, 20 Oct 2025 18:22:40 GMT

I believe what Lesley suggested makes sense.

Re: Nat inside VPN tunnel to Fortigate

nooni — Tue, 21 Oct 2025 07:43:06 GMT

Thanks, so 192.168.20.1 should be manually configured on each FW in the cluster, with the external as interface then ?

Re: Nat inside VPN tunnel to Fortigate

Lesley — Tue, 21 Oct 2025 09:36:49 GMT

No see it as floating IP, it does not have to be directly configured on the interface.

With proxy arp firewall will reply if traffic comes in with arp reply. Make the fw aware the floating IP belongs to the firewall. Just like you would do with public NAT if the IP range is routed to the fw and not directly configured on the interface.

Re: Nat inside VPN tunnel to Fortigate

nooni — Thu, 23 Oct 2025 08:25:03 GMT

So i used the static nat function in the NAT object that should be sufficient.

So the manual NAT rule should look like this ?

Orig SRC 192.168.18.1 Orig DST 192.168.20.1 translated dst 10.10.13.1 ?

Re: Nat inside VPN tunnel to Fortigate

the_rock — Thu, 23 Oct 2025 10:48:01 GMT

That looks right.

Re: Nat inside VPN tunnel to Fortigate

nooni — Wed, 12 Nov 2025 09:06:38 GMT

Can you clarify a bit how the proxy arp should look like ?

Re: Nat inside VPN tunnel to Fortigate

the_rock — Wed, 12 Nov 2025 11:54:32 GMT

https://support.checkpoint.com/results/sk/sk30197

Re: Nat inside VPN tunnel to Fortigate

nooni — Wed, 12 Nov 2025 12:08:34 GMT

Yes i have seen that one but what interface should this translated IP being attached to ?

Re: Nat inside VPN tunnel to Fortigate

the_rock — Wed, 12 Nov 2025 12:09:40 GMT

Most likely external.