DNS Fortigate NAT

Forum|Forum|1 year ago
May 13, 2024
2 replies
2066 views

Hello, I have configured in FortiGate with DNS server.
In this same FortiGate I have configured an IPSEC tunnel with a client, which has a DNS server and the clients of my network reach this DNS server through a firewall policy with a specific IP with NAT.

The FortiGate DNS forwards to the client's DNS server, but does not reach it because the IPSEC tunnel is configured with a firewall rule to reach it with a specific IP with NAT and this firewall rule does not apply to the FortiGate DNS.
How can I make the DNS server of the Forti be able to query the DNS of this client?

hbac

Staff

Hi @guchinife,

Please provide a network diagram so I can better understand the topology.

Regards,

ebilcari

Staff

So basically you want the DNS server of the FGT to forward the request to an external DNS server that is reachable through IPSEC but since the other node has a firewall policy that allows the requests only from a specific subnet this requests get dropped.

config system dns-database

edit "eb.lab"

set source-ip <-- try to use the GW of the hosts from the allowed subnet

Emirjon

guchinifeAuthor

New Member

The problem is that the tunnel is accessed with a range of IP's configured in a firewall policy by configuring NAT. If you are not within this range of these IPS you do not reach the client's DNS.
The problem is that the IP of the forti where the DNS is, this policy does not apply to the IP of the forti where the DNS is.

ebilcari

Staff

If NAT is configured on the same FGT that has the DNS server configured you can set that IP as the source of DNS database. If NAT is configured on the other side and this FGT doesn't have an IP that is allowed on that policy it may not be possible to achieve this without changing the firewall policy on the other node.

Emirjon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded