FortiGate 2000E Firmware version : v6.0.2 build0163 (GA)
Forti Client Version : 6.0.4
Check Point 5000 Appliance : R80.10
VPN user (10.50.50.1) have access of server (10.10.10.55) RDP service. For that IPsec VPN tunnel and access, policy created on Fortigate Firewall and applied IPsec tunnel on fortigate policy. User can connect VPN tunnel successfully but user cannot access the RDP service because Check Point firewall getting NAT IP of Fortigate Interface IP (192.168.20.40) instead of VPN user client source IP (10.50.50.1).
Check Point firewall getting NAT IP of Fortigate interface because of NAT translation issue in fortigate IPsec tunnel.
Required Following logs which mentioned below
Request you are to please run the following debug commands through cli and check the output.
#get router info routing-table all
#get router info routing-table database
#get router info kernel
#diag firewall proute list
# diag debug reset
# diag debug flow filter addr x.x.x.x (x.x.x.x is the ip address of the destination that you are trying to take RDP)
# diag debug flow filter port 3389
# diag debug flow show console enable
# diag debug console time en
# diag debug flow trace start 9999
# diag debug enable
#diag sniff packet any “host x.x.x.x and 3389” 6 0 a (x.x.x.x is the ip address of the destination that you are trying to take RDP)
Now please connect to VPN and please try to take RDP and once you get the error
Please disable the command using #diag deb dis
-You are using policy based VPN
-The connection was initiated from 10.50.50.1 to 10.10.10.55 server
-The server 10.10.10.55 is located behind fortigate and reachable via Fortigate LAN interface.
-Fortigate is doing a SNAT of changing the source 10.50.50.1 to 192.168.20.40 which is the interface IP address of Fortigate LAN interface, But on the policy Source NAT was not enabled
-Disabled the SNAT in the phase2 configuration using the following commands
config vpn ipsec phase2
edit <name of the tunnel>
set use-natip disable
– After disabling it we tested and we could see that now fortigate is not changing the source
– But from the captures we can see that fortigate is forwarding the packets via LAN interface but we are not getting any response.