Link to home
Create AccountLog in
Avatar of jyoung1974

asked on

NAT proxy traffic IP entering Fortigate over VPN

I'm trying to NAT an IP from clients entering the networks over a Forticlient SSL tunnel. There are no hits on the VIP rule and traffic is not translating. Not sure what I am missing. The traffic is proxy traffic set by Active Directory, but would like it to translate to the inside interface of the firewall to provide proxy services. 

We did have this set up working on a Cisco ASA with no issues, not sure if FG can do it. 

Traffic enters interface SSL-VPN tunnel interface (ssl.root)

Exits the inside interface, the inside interface is the proxy IP address. 

config firewall vip

    edit "NAT-svrip"

        set src-filter ""

        set service "tcp-8080"

        set extip

        set mappedip ""

        set extintf "inside"

        set portforward enable

        set mappedport 8080



Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Maybe need to understand a little about what you actually need to achieve. VPN clients need to get to an internal proxy, right? If so, why can't they just route to it?

Avatar of jyoung1974


The Proxy is on another site and don't want to send the traffic over the VPN

Not sure I follow still. You said...

I'm trying to NAT an IP from clients entering the networks over a Forticlient SSL tunnel.

Have you got a diagram of the expected traffic flow, perhaps? 

only two systems. A client connecting with FortiClient to a FortiGate firewall. The inside interface provides the proxy service. I'm only trying to NAT the IP that the clients normally use for on premise due to the constraints around changing the proxy with Group Policies in Active Directory.

The FortiGate does not see the traffic coming over the vpn to do NAT. That is my problem.

Avatar of jyoung1974

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account