Solved: VPN not working

Monster2 · ‎06-30-2023

hello Guys,

I need help with with VPN connection for the Forti FW, it is placed behind MPLS router and DIA router.

FORTI --> MPLS --> DIA.

I have enabled the SSL vpn and site-to-site vpn, but it is not working as the NAT is not placed probably.
at the DIA I have enabled the NAT ip nat static "forti ip" to the outside, but I can't chose ports.
on the MPLS I did the same, but IDK if that is correct.
what is the proper NAT to do here.

MPLS router 1800 with 12.4 version on it, which it think it is switch not a router.
DIA router 2850.
THANKS,

Aref Alsouqi · ‎06-30-2023

The 2850 would be your edge router connected to the internet, so the NAT rules should be placed only on that router, not on the MPLS one. Depending on how many public IPs you have and if you want to dedicate one for the firewall, or if you are using one single public IP and you want to redirect only the traffic destined to the ISAKMP and SSL VPN. Assuming you are using the traditional NAT on the 2850 router, a one to one NAT rule would look similar to this:

ip nat inside source static < private IP of the firewall > < public IP >

If you want to do port mapping it would look like this:

ip nat inside source static tcp < private IP of the firewall > < port > < public IP > < port >

Example:

ip nat inside source static tcp 192.168.1.1 443 1.1.1.1 443

View solution in original post

MHM Cisco World · ‎06-30-2023

You need NATing in edge router for DAI ?

Monster2 · ‎06-30-2023

hello
Yes I need to access the VPN so I need public access with DIA ip.

MHM Cisco World · ‎06-30-2023

ip nat inside source static udp x.x.x.x 500 interface <ISP> 500
ip nat inside source static udp x.x.x.x 4500 interface <ISP> 4500
ip nat inside source static tcp x.x.x.x 443 interface <ISP> 443

this what you need for DIA router.

NOTE:- x.x.x.x is your FW private IP

Aref Alsouqi · ‎06-30-2023

The 2850 would be your edge router connected to the internet, so the NAT rules should be placed only on that router, not on the MPLS one. Depending on how many public IPs you have and if you want to dedicate one for the firewall, or if you are using one single public IP and you want to redirect only the traffic destined to the ISAKMP and SSL VPN. Assuming you are using the traditional NAT on the 2850 router, a one to one NAT rule would look similar to this:

ip nat inside source static < private IP of the firewall > < public IP >

If you want to do port mapping it would look like this:

ip nat inside source static tcp < private IP of the firewall > < port > < public IP > < port >

Example:

ip nat inside source static tcp 192.168.1.1 443 1.1.1.1 443

Monster2 · ‎07-01-2023

Thank you guys for the update. Aref thanks for the explaining, I have done the one to one NAT on the DIA but it didn't work.
Now I will have to try the other way you have informed.

Aref Alsouqi · ‎07-02-2023

You're welcome sir. Are you using the legacy NAT on the 2850 or the new NAT (NVI)? You can verify that by looking at the NAT commands under the interfaces, if they are with "ip nat inside/outside" then that is the legacy NAT. However, if the commands are "ip Nat enable" then that is the new NAT. The reason I'm asking this is because if you happen to use the new NAT then you should get rid of the "inside" keyword from the commands I shared in my previous post. If that isn't the case then please share the sanitized configs of the router for review.

Monster2 · ‎07-02-2023

Hello Aref,

Thank you for the update. the CU now in EID vacation, I will update you when I have access to the device.

Monster2 · ‎07-04-2023

Hello Aref and MHM,

thank you guys it worked just fine. and they were using legacy NAT.

MHM Cisco World · ‎07-08-2023

You are so welcome

MHM