Staff

Technical Tip: VIP creation with same external IP and mapped IP

Forum|Forum|6 years ago
September 4, 2019
0 replies
11801 views

Description

This article describes how, since FortiOS v5.6, it is possible to create a VIP with the same External IP and Mapped IP.
However, until firmware 6.0, creating a VIP with the same External IP and Mapped IP will throw an error in both CLI and GUI.

CLI Error:

Static NAT's extip should be different from mappedip.
object check operator error, -8, discard the setting
Command fail. Return code -8

GUI Error:

Scope

FortiGate.

Solution

Change the VIP Type from static-nat to load-balanc while creating the VIP.
Disable the arp-reply, which is enabled by default.

Via CLI:

config firewall vip
edit "SSH_redirect"
set extip 10.50.50.150
set extintf "any"
set portforward enable
set mappedip "10.50.50.150"
set extport 666
set mappedport 22
set arp-reply disable
set type load-balance

end

Via GUI:

Create a new VIP, because if the change is processed on an existing VIP's Type from static-nat to load-balance, an error will occur.

The difference between static-nat and load-balance is that load-balance is used to balance the traffic between different Servers behind a FortiGate.

But if only one-to-one DNAT mapping is used, it will work the same way.

Note: Starting FortiOS v7.2.0, FortiGate removes the overlap check for VIPs. No error message appears regarding the overlapping VIPs; instead of this warning, a security rating reports to the user any IP overlaps.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded