Fortigate policy with VIP and SNAT at the same time

Question

Hi all,

I have a Fortigate doing an IPSEC to an offsite server, and SNAT is required. Policies from dial-in IPSEC and LAN work OK (sending HTTPS traffic to the server over the IPSEC with SNAT translating the source to an IP pool) but when I try to provide external access to this via a VIP, traffic matches the policy and passes but connectivity fails.

LAN to IPSEC policy (working)

config firewall policy
edit 52
set name "LAN to IPSec SNAT"
set srcintf "lan"
set dstintf "IPSEC-P1"
set action accept
set srcaddr "10.0.10.0/24" "192.168.1.0/24"
set dstaddr "10.200.201.1/32"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "IPSEC_SNAT"
set comments "LAN to IPSec SNAT"
next
end

WAN to IPSEC policy (not working)

config firewall policy
edit 23
set name "ipsec-tk-test"
set uuid 46350196-0707-51f1-1c80-8146215ecbef
set srcintf "wan1"
set dstintf "IPSEC-P1"
set action accept
set srcaddr "Australia"
set dstaddr "IPSEC-VIP"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "IPSEC_SNAT"
set users "AT-test"
next
end

config firewall vip
edit "IPSEC-VIP"
set uuid c1769080-0703-51f1-cd77-c496d8e20f3d
set extip 20.20.20.20
set mappedip "10.200.201.1/32"
set extintf "any"
set portforward enable
set extport 443
set mappedport 443
next
end

config firewall ippool
edit "IPSEC_SNAT"
set startip 100.30.0.10
set endip 100.30.0.10
set arp-reply disable
set comments "IPSEC_SNAT"
next
end

AlexAdriaansen · Answer

FYI I've tried SNAT pool and using the IPSEC interface, with the same results.
Fortigate logs show the traffic accepted, there's no hits to the implicit deny policy. I get a Fortigate user credential prompt but nothing afterwards

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded