Skip to main content
Herthon
Herthon
New Member
November 8, 2021
Question

I need help to do FGate-VM64-KVM v6.4.6 working 2 network, 2 VRFs and SNAT/DNAT

  • November 8, 2021
  • 1 reply
  • 5101 views

Hi folks!

 

I'm with many doubts, so I have created a lab: PC1-----FGT(VRF 10 <-> VRF 20)-----PC2 with SNAT/DNAT, but it doesn't works!

Any can be help me?

1 reply

Kangming
Staff
Kangming
Staff
November 9, 2021

You could refer to this link:

https://docs.fortinet.com...-between-multiple-vrfs

Kangming
Staff
Kangming
Staff
November 9, 2021

PC1(10.0.0.1) -----Port3(10.0.0.254)---|VRF10|---Link0(172.16.0.253)--------Link1(172.16.0.254)---|VRF20|---Port4(192.168.0.254) ------PC2(192.168.0.1)

 

config firewall ippool edit "ESQ-SNAT" set startip 172.16.0.240 set endip 172.16.0.240 next edit "DIR-SNAT" set startip 172.16.0.250 set endip 172.16.0.250 next end

 

config firewall vip edit "ESQ-DNAT" set extip 172.16.0.241 set mappedip "10.0.0.1" set extintf "any" set arp-reply disable set nat-source-vip enable next

edit "DIR-DNAT" set extip 172.16.0.251 set mappedip "192.168.0.1" set extintf "any" set arp-reply disable set nat-source-vip enable next end

 

config firewall policy edit 1 set name "ESQ->Link0" set srcintf "port3" set dstintf "Link_0" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "ESQ-SNAT" set nat enable next edit 2 set name "Link_0->ESQ" set srcintf "Link_0" set dstintf "port3" set srcaddr "all" set dstaddr "ESQ-DNAT" set action accept set schedule "always" set service "ALL" next edit 3 set name "DIR->Link_1" set srcintf "port4" set dstintf "Link_1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "DIR-SNAT" set nat enable next edit 4 set name "Link1_DIR" set srcintf "Link_1" set dstintf "port4" set srcaddr "all" set dstaddr "DIR-DNAT" set action accept set schedule "always" set service "ALL" next

end

 

config router static edit 1 set dst 192.168.0.0 255.255.255.0 set gateway 172.16.0.254 set device "Link_0" next edit 2 set dst 10.0.0.0 255.255.255.0 set gateway 172.16.0.253 set device "Link_1" next end

 

The configuration seems to be correct, what src to dst do you encounter does not work?

Maybe you can use sniffers and debug flow to help you troubleshoot:

 

Sniffer:

diagnose sniffer packet any "icmp" 4 0 l 

 

Debug Flow:

diagnose debug flow filter proto 1 diagnose debug flow show function-name enable diagnose debug flow trace start 100 diagnose debug enable

 

 
Terms & ConditionsAccessibility statement