Skip to main content
DamianLozano
DamianLozano
New Member
August 18, 2020
Question

Central NAT - DNAT configuration

  • August 18, 2020
  • 4 replies
  • 19683 views

Hello,

 

I just installed a new fortigate and for first time enabled "central NAT" from cli 

I created a SNAT rule for each outgoing Internet connection and I think these rules are working because I can browse Internet

Now I want to forward the port TCP 81 to 10.1.1.234 because I need to access there from Internet.

I created the following "DNAT & Virtual IP":

Interface: lan (I dont know if this should be the source or destination interface, but I tested with each with no luck)

Source Interface Flter: disabled

External IP Address/Range: PublicIP

Mapped IP Address/Range: 10.1.1.234

Optional Filters: disabled

Port Forwarding: enabled

Protocol: TCP

External Service Port: 81

Map to Port: 81

 

I can connect from inside with "telnet 10.1.1.234 81" but I can not connect from outside with "telnet publicIP 81", so the "DNAT & Virtual IP" is not working

What is wrong?

 

Thanks in advance.

Regards,

Damián

 

 

    4 replies

    poundy
    poundy
    New Member
    August 19, 2020

    do you have a policy to permit inbound connection to the VIP ? I suspect that's all you're missing...

    The next thing I'll point you to is "diag debug flow". For example have a look at this page for inspiration https://marktugbo.com/2017/07/04/tools-flow-trace-in-fortigate/ but a simplistic version for you would be something like:

    diag debug disable

    diag debug flow filter daddr 10.1.1.234

    diag debug flow filter port 81

    diag debug flow show function-name enable

    diag debug flow trace start 10

    diag debug enable

    ... and then look at what info you get from there.

    DamianLozano
    DamianLozanoAuthor
    New Member
    August 19, 2020

    Hello people!

     

    You were right, the traffic is being blocked by the implicit policy:

    id=20085 trace_id=1 func=print_pkt_detail line=5573 msg="vd-root:0 received a packet(proto=6, SRCpublicIP:53495->WAN1IP:81) from wan. flag , seq 4175373843, ack 0, win 64240" id=20085 trace_id=1 func=init_ip_session_common line=5744 msg="allocate a new session-01b345f2" id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-WAN1IP via root" id=20085 trace_id=1 func=fw_local_in_handler line=412 msg="iprope_in_check() check failed on policy 0, drop"

     

    The problem is that I cannot select the new "DNAT & Virtual IP" in a policy, I just added temporarily a policy to allow everything from wan to lan with no luck

    I tried it in many ways with no luck

    Fortigate should have better documentation about its features

     

    Do you know any document about how to forward a port from skratch?

    Can you explain this to me?

    I assisted a NSE4 course but we never seen this

     

    Thanks in advance

    Regards,

    Damián

    DamianLozano
    DamianLozanoAuthor
    New Member
    August 19, 2020

    I just found the following in the Lab guide of the NSE4:

     

    "You can't select VIPs previously created in a firewall policy as a destination address.

    As soon as a VIP object is created, FortiGate automatically creates a rule in the kernel for DNAT to occur"

     

    The guide asked me to enable a rule but the lab stopped being available when the curse ended

    Image attached

     

    Regards

    DamianLozano
    DamianLozanoAuthor
    New Member
    August 27, 2020

    Thanks for your response.

     

    There is not any rule in sd-wan -> lan

    This is because I could not select a VIP in a policy.

    I added temporarily a rule to allow everything but as this does not solve the issue I deleted this.

    So, every time I need to create a VIP I need to do the following?

    - Create a rule

    - Enable the match-vip from cli

    - Match VIP in the rule

     

    This does not make a sense to me

    In this case, what is "Central NAT" for?

    I thought that no rule is needed with "Central NAT", that is what I understood in the course. 

     

    Regards,

    Damián

     

    emnoc
    emnoc
    New Member
    August 27, 2020

      So, every time I need to create a VIP I need to do the following? - Create a rule - Enable the match-vip from cli - Match VIP in the rule

     

    Yes you need a policy if that what you mean by rule. No policy and without the vip defined for the destination is not going to work. All traffic is controlled by the policy.

     

    In this case, what is "Central NAT" for?

     

    A central nat table just provides a central table for nat-translation but for SNAT A vip is not controlled by the central-nat table. In fact the name suggest it's a snat-map.

     

    People who like central-nat table are mainly people that come from the  checkpoint,juniper,ciscoASA,palo shop since it does or work nearly the same.

     

    If you enabel central-snat you do NOT use nat in your polic, the table manages the SNATs. 

     

    Read more here.

    https://help.fortinet.com/cli/fos60hlp/60/Content/FortiOS/fortiOS-cli-ref/config/firewall/central-snat-map.htm

     

    ;)

     

    BTW SANT has nothing to do with your vip, fwiw

     

     

    Ken Felix

    DamianLozano
    DamianLozanoAuthor
    New Member
    September 1, 2020

    Hello again,

     

    I hope I dont need to explain again that although I attached an image from a course, this is about a real fortigate in a production environment (the course ended some weeks before, the lab is not already available)

      

    I finally could test, did the following:

    - Added a service for port 81

    - Added a rule from sd-wan to lan for this service

    - Tried to enable match-vip for this policy as https://kb.fortinet.com/kb/documentLink.do?externalID=FD33338 but failed

     

    FGT # config firewall policy FGT (policy) # edit 5 FGT (5) # set match-vip enable command parse error before 'match-vip' Command fail. Return code -61

     

     

    So, I attached again the image from the lab guide which I followed when did the course

    In this image you can see, the following words from fortigate: "As soon as VIP object is created, Fortigate automatically creates a rule in the kernel for DNAT to occur", which I interpreted as: "I dont need to create a policy"

     

    Which is the problem here?

    If I need to enable match-vip for the rule, which is the proper command to accomplish this?

     

    Regards,

    Damián

    emnoc
    emnoc
    New Member
    September 1, 2020

    Not sure what you doing but 1st let's start with tis

     

    "As soon as VIP object is created, Fortigate automatically creates a rule in the kernel for DNAT to occur", which I interpreted as: "I dont need to create a policy"

     

    Creating a vip does NOT side-step the need for a rule. I'm not sure why you keep bring this up.

     

    2nd let's see the fw-policy #5 

     

    ( from cli using the above mention policyid5  ) 

     

    show full firewall policy 5 

     

     

    Let's see your vip so we can fully understand what your doing 

     

    show full firewall vip 

     

    Can you give us those 2 outputs from the cli?

     

    Ken Felix

     

     

    DamianLozano
    DamianLozanoAuthor
    New Member
    September 1, 2020

    Sure, thanks for your reply,

     

    FGT # show full firewall policy 5 
    config firewall policy
        edit 5
            set name "DVR"
            set uuid a6d824f4-ec4d-51ea-7f07-66b8d321df2d
            set srcintf "virtual-wan-link"
            set dstintf "lan"
            set srcaddr "all"
            set dstaddr "DVRs"
            set internet-service disable
            set internet-service-src disable
            set rtp-nat disable
            set learning-mode disable
            set action accept
            set status enable
            set schedule "always"
            set schedule-timeout disable
            set service "Web2"
            set dscp-match disable
            set utm-status disable
            set logtraffic utm
            set logtraffic-start disable
            set auto-asic-offload enable
            set np-acceleration enable
            set permit-any-host disable
            set permit-stun-host disable
            set session-ttl 0
            set vlan-cos-fwd 255
            set vlan-cos-rev 255
            set wccp disable
            set fsso disable
            set disclaimer disable
            set natip 0.0.0.0 0.0.0.0
            set diffserv-forward disable
            set diffserv-reverse disable
            set tcp-mss-sender 0
            set tcp-mss-receiver 0
            set comments ''
            set block-notification disable
            set replacemsg-override-group ''
            set srcaddr-negate disable
            set dstaddr-negate disable
            set service-negate disable
            set timeout-send-rst disable
            set captive-portal-exempt disable
            set ssl-mirror disable
            set scan-botnet-connections disable
            set dsri disable
            set radius-mac-auth-bypass disable
            set delay-tcp-npu-session disable
            unset vlan-filter
            set profile-protocol-options "default"
            set traffic-shaper ''
            set traffic-shaper-reverse ''
            set per-ip-shaper ''
        next
    end
     
    FGT # show full firewall vip 
    config firewall vip
        edit "DVR"
            set id 0
            set uuid 71b50130-e166-51ea-3826-075742213cf8
            set comment "Port 81 to DVR"
            set type static-nat
            set extip 179.60.208.66
            set extintf "any"
            set arp-reply enable
            set nat-source-vip disable
            set portforward enable
            set gratuitous-arp-interval 0
            set color 18
            set mappedip "10.1.1.234"
            set protocol tcp
            set extport 81
            set mappedport 81
            set portmapping-type 1-to-1
        next
    end

     

    Regards,

    Damián

    DamianLozano
    DamianLozanoAuthor
    New Member
    September 1, 2020

    Hello, thanks for your response

     

    The custom service web2 is that set for tcp.port 81?

    Yes, only TCP 81

     

    I already did a debug flow and pasted it in a previous note of this post:

    id=20085 trace_id=1 func=print_pkt_detail line=5573 msg="vd-root:0 received a packet(proto=6, SRCpublicIP:53495->WAN1IP:81) from wan. flag , seq 4175373843, ack 0, win 64240" id=20085 trace_id=1 func=init_ip_session_common line=5744 msg="allocate a new session-01b345f2" id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-WAN1IP via root" id=20085 trace_id=1 func=fw_local_in_handler line=412 msg="iprope_in_check() check failed on policy 0, drop"

    There is not a rule to allow this traffic

     

    Regards,

    Damián

    emnoc
    emnoc
    New Member
    September 1, 2020

    Do us a favor, please take the ext-ip of the vip and ensure it's not being used else where the fortigate?

     

    (i.e using  179.60.208.66 )

     

     

    #cli

     

     

    show full | grep -f 179.60.208.66 

     

    Ken Felix

     
    DamianLozano
    DamianLozanoAuthor
    New Member
    September 1, 2020

    Hello, thanks for your help

     

    I just checked again and I could connect with the correct IP.

    I saw that the VIP had the external IP of the secondary WAN connection, when I changed it to use the primary WAN connection started working, then I changed it again to the secondary and worked again.

    I dont know what happened there because when I do the test the first time I used the correct IP and I had created a rule to allow everything just for some minutes for testing purpouse.

     

     

    Thanks.

    Regards,

    Damián

    Terms & ConditionsAccessibility statement