dnat without vip

Question

Dear All,

Is there any way to use dnat without a vip? I have the following situation:

clients pc --- fortigate ---- other device --- 192.168.5.5

|_ 192.168.6.6

I would like to achieve:

a) - A client with ip 10.10.10.10 if want to go to dst:192.168.5.5 then it dnat-ed to dst:192.168.6.6.

b) -while other clients if want to go to dst:192.168.5.5 then no-nat-ed, so dst:192.168.5.5 is unchanged and simply forward to the dst.

My problem is that the 'external ip' is not on fortigate, and when I create a DNAT & Virtual IP with:

External IP address/range : 192.168.5.5

Mapped IP address/range : 192.168.6.6

Optional filter / Source address : 10.10.10.10

Then a) seems to work, there is dnat-ed outgoing packets and replies, but b) doesn't work, and the diag flow shows:

"iprope_in_check() check failed on policy 0, drop", as I think fortigate knows 192.168.5.5 is local address because of vip.

So is there a way using only dnat without local vip, or do you have any idea how to solve this problem?

Ps: the network is a little bit complicated than this, there are more "clients" and those have config with fix destination servers, so this way I would like to send some "clients" to another server.

Than you for reading me

Toshi_Esumi · Accepted Answer

I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded