Internal clients to VIP on same Firewall not NATed

Question

Company X has a firewall where they have

a trusted subnet (LAN) with some clients and a server published with a VIP (192.168.1.0/32)

an untrusted subnet with other clients (10.10.10.0/32)

Both subnets are served by a fortigate interface

Company wants to geo-fence the vip and only allow access from USA. This works as expected *except* when the client accessing the vip is from either "internal" network. It appears the internal address of the client is not NATed to the VIP and instead shows up as the original IANA address. As such it is blocked since IANA is not USA. We know this is correct because if we modify the WAN -> vip policy to allow USA + IANA-192, trusted clients work, and if we add IANA-10 the untrust clients work as well. But for obvious reasons, we'd prefer to not do that.

On the trusted subnet we've treated this as a known behavior and simply set up a pinhole split-horizon DNS entry to keep the traffic from traversing the firewall, going straight to the internal address - one might even consider this desired behavior in some cases. But now that they need this untrusted network to access the vip, we need to know how to make sure the untrust clients get NATed as the traverse the interface.

HaTiMuX · Answer

Hello,

You can create a NAT pool to NAT traffic coming from the untrusted subnet with an IP which is considered from USA.

Then you need to create a firewall policy to allow traffic from your untrusted subnet to your trusted subnet where the server is located.

You VIP should listen on any, otherwise you will not be able to add it to your firewall policy (because your internal trafic will come from a different interface than the WAN interface).

Hope it helps!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded