Skip to main content
baylonjmj
baylonjmj
New Member
March 19, 2018
Question

OUTBOUND POLICY is being source natted to a different public IP address

  • March 19, 2018
  • 3 replies
  • 11773 views

Hi All,

 

Have you encountered this scenario?

I am using a FortiOS 5.4.3, FG300D, an Allow any internal user OUT, Natted to the firewall interface IP.

There is also an inbound rule for a specific user/device using a VIP that is not the interface IP.

 

Whenever that specific device is accessing the internet (outbound) that IP is natted to its VIP ip instead of the interface IP.

There is no IP pool configured on the firewall and there is no special rule for that specific device to go out. Firewall logs is saying it is being sourcenatted and the action made is timedout.

 

Would you know the proper way to fix this?

 

TIA

 

-Lehac

    3 replies

    emnoc
    emnoc
    New Member
    March 19, 2018

    The cli cmd diag debug flow  is your friend. Inspect your fwpolicy  and take action  on what's present or not.

     

    Ken

     

    baylonjmj
    baylonjmjAuthor
    New Member
    March 19, 2018

    Hi Emnoc,

     

    Yup I've done that and the firewall is just dropping the packet saying status "timedout"

    it's just wierd that the the outbound rule is source natted to a VIP ip address  even though the firewall policy is saying use the interface IP. That VIP ip is not even configured as an IP pool and not used for any outbound traffic. 

     

    I am just crowdsourcing if this is a pretty common behaviour on a Fortigate firewall

     

    -lehac

    emnoc
    emnoc
    New Member
    March 19, 2018

    That does not make sense, the diag debug flow should a match  or deny . Can you post the output ( debug )  and the fwpolicy(s) involved? ( the output of  deiag debug flow and where it says SNAT  and the full firewall policy

     

     

    e.g

     

    show full firewall policy <xxxx>

     

    show full firewall vip < xxxxxxxxxxxxxx>

     

    Xs = policyid# and or name as it related to vip

     

    )

     

     

    So in your case, you have a DNAT-VIP being matched on outside  traffic ? and that timeout ? Also  do you have set set nat-source-vip enable on the VIP or  central nat?

     

     

    Retro
    Retro
    New Member
    March 19, 2018

    what does the VIP do for the inbound traffic?

     

    have you tried to create a outbound policy just for the single source and put it highest in the sequence? if so what happens?

     

    Can you post a debug output?

    Terms & ConditionsAccessibility statement