FortiNet VPN + Cisco ASA FW

Site Feedback
1

Hello all. I’m in a bit of a jam, any help would be greatly appreciated.

Need to establish access to a server behind a firewall only accessible through VPN.

Structure

Networks

  1. Origin: 192.168.1.0/24
  2. VPN: 10.100.200.200/32
  3. DMZ: 10.10.0.0/23
  4. Destination: 10.20.0.0/24

Devices

  1. Origin workstation with Fortinet VPN
  2. Cisco ASA FW
  • 8 ports
  • 1#: 10.10.0.60
  • 8# 10.20.0.60
  1. Server: 10.20.0.200

I can connect to the FW on 10.10.0.60 from the workstation with the FortiNet VPN.

On the Cisco ASA I can ping the server on 10.20.0.200.

I need to be able to SSH directly to the server from the workstation with the VPN.

My idea was to define a NAT to translate 10.10.0.60 to the server 10.20.0.200. But unfortunately the Cisco only has 1 port available for the 10.10.0.0/23 network. Which is assigned for SSH access from the workstation with VPN.

Any idea how I can maintain the VPN access to the Cisco and also NAT my way to the server?

Thanks

2

I would quit networking all together if the only thing I could use is a Cisco ASA. Absolute garbage platform, in my opinion of course.

3

Absolute garbage platform

It’s just about the best VPN concentrator you can get. If you think it’s garbage you don’t know how to work with it because I can’t think of a single reason why it’s bad.

4

Totally agree on that front. I’m going insane. It’s been almost 2 weeks on this shit

5

What metric are you using to say its the best VPN concentrator? Many other platforms will have better performance per dollar than an ASA and are way less complicated to troubleshoot. Also God help you if you are running FMC and have to troubleshoot IPSEC VPN issues.

6

Vendor doesn’t seem to be an issue here so dont know why that’s been brought up.

All you should need is proper phase 2,routing, rules, and NAT if subnets overlaps. This is a pretty common setup and use case for a VPN.

7

My issue is when I try to set up the NAT it won’t allow it because the interfaces are on overlapping subnets.

8

I would just nat the server to a new subnet that doesn’t overlap with anything, add new subnet to crypto map, add routes and rules on both sides.

A diagram may help if I’m not understanding your issue correctly.

9

That’s a good idea, but unfortunately I dont have complete authority to change much regarding the dmz/client network. Including subnetting.

I’ll give it a go either way.

If it helps you visualize, the following is a rough of what im working on (sry couldn’t add pictures)

and thx a lot for your help :slight_smile:

Networks: Net 1 (Me) >>>>>>>>>>>>>>>>>>>> ___DMZ ___ >> CLIENT

Devices__: PC (Me) >> VPN >> INTERNET >> DMZ GW >> ASA >> SERVER

EDIT: structure

10

Dmz is theirs? So there’s no overlap,the /23 includes 10.10.0.0 and 10.20.0.0.

All that should be needed then is firewall rules (assuming routing is good and the encryption domain includes the whole /23)

So is this a site to site tunnel with a fortigate and Asa, or are you running the clients VPN software on the workstation to get into their network? (Some.places use non Cisco remote access VPNs with ASAs on the edge).

11

The /23 is the DMZ, it goes from 10.10.0.0 to 10.10.1.255. the 10.20.0.0/24 is their internal.

Im running FortiNet VPN client on my machine to get to their DMZ.

The issue is maintaining the VPN tunnel to get to the ASA and also manage to use that same interface for NATing through to the server on 10.20.0.0/24

sry if Im not giving enough info, just trying to filter what I can and can’t share

12

Whoops my brain failed at subnetting but still doesn’t look like nating should be needed if yours and their subs dont overlap.

I don’t think I understand how you’re going about this, the tunnel should be able to handle any traffic allowed as long as it’s all configured correctly.

13

Tbh I’m not sure I understand either. Had another task today so I couldn’t get to it but from I gathered we are basically using 2 FWs back to back, one of them is transparent I think.

So my idea is to just hammer it with a static route on the 2nd FW, the Cisco ASA.

14

You don’t need NAT in your use case. Just routing. And a simple one at that.