destination nat between real ip addresses

Forum|Forum|1 year ago
September 28, 2024
3 replies
1656 views

my issue is the following.

The customer is migrating to new DNS servers on DMZ, but they have too many endpoints on the LAN with old DNS servers (x.x.x.x) configured, they want to MAP the ip for the old DNS servers (x.x.x.x) to the new DNS servers (y.y.y.y)

This can be acomplished using DNAT with the following configuration

VIP:

set service "DNS"
set extip x.x.x.x
set mappedip y.y.y.y
set extintf LAN

after doing this, the DNS traffic going the old DNS servers is natted correctly, but the server x.x.x.x is still giving another services and after natting DNS traffic, Fortigate treats x.x.x.x as virtual IP and any other traffic going to x.x.x.x is dropped with the error "iprope_in_check() check failed on policy 0, drop"

is there a way to do this nat and still have another services on x.x.x.x without considering x.x.x.x as Virtual IP?

after doing this,

AEK

SuperUser

Did you try to use portforward instead of "set service DNS"?

set portforward enable
set protocol udp
set extport 53
set mappedport 53

However I'm not sure if this will actually work because once you configure a VIP then from FG prospective it's like if the whole IP is now owned by FG (as per my understanding), so if you have two equipment on your network with the same IP its simply IP conflict (malfunction and bad design).

In case it doesn't work I think is better not using such workaround and use clean configuration instead.

For example you may change DHCP config to assign the new DNS server to your DHCP clients instead of the old one, and for hosts with static IP config you may take the required time to migrate them one by one.

AEK