Redirect VIP to Internet with Central NAT
Hey All,
I am having an issue with setting up VIPs to redirect incoming traffic on a FortiGate with Central NAT enabled to a remote public IP.
A few months back, I had a need to change existing VIPs that mapped from public to private, so that the new mapped IP was another public IP that is not ours. I found this article, and it all worked nice a smooth from testing to deployment in production. This was on a 200F at 7.2.8 without Central NAT. The one strange thing is that I don't get any hits on the Policy Routes.
Now, I have to configure the same thing on two more FortiGates, both also at 7.2.8 - one is a 200F without Central NAT and the other is a 100E with Central NAT enabled. I'm having an issue with the 100E. There is a Central NAT policy that says any>internet / src all | dest all / NAT as outgoing interface. There are three other policies that should not be affecting my traffic as they have defined interfaces and addresses that are not involved with this. The 100E has four WAN connections, zoned as "Internet".
I should mention that we are not changing the existing VIPs until we have been able to test the IP forwarding, which is where we are now.
- I created 28 new test VIPs using different public IPs with our test IP as the "Mapped From" and the remote public IP as the "Mapped To" and all ports defined appropriately (some translated). Note that we needed that many VIPs because some of these services need multiple ports.
- I created four new Firewall Policies (there are four services involved) to allow the traffic to the remote IPs over the appropriate ports (the translated-to ports, where needed).
- I created Policy Routes to direct the traffic back out on the same interface that it came in.
Only 6 of the VIPs worked, and all were matching one of the Firewall Policies. I think I found the reason that 2 of them did not work. They applied to the same Firewall Policy as the 6 that did work, but I realized that with Central NAT, the order of the VIPs matters and found a VIP with the same IP and no ports defined above the more specific new test VIP with ports defined. I moved the less specific VIP down to the bottom and will test again this afternoon when we have another testing session planned.
For the other 20 test VIPs though, there are no conflicting less specific VIPs that could be the cause. When I view the Forward Traffic log and filter by the dest or src IPs, I do not see any traffic being denied or accepted. I do plan to run a packet capture to see if the IPs and Ports are being hit.
Here are some questions that I have:
- If I see traffic coming to the correct IP and Port in the packet capture, but do not see traffic in the Forwarding Log, does that indicate a problem with the VIP, or with the Policy?
- Does the ingress/egress packet flow change with Central NAT? I do know that without Central NAT, VIP processing occurs before firewall policies are evaluated, followed by routing.
- Is there anything else I should be zeroing in on to figure this out?
Thank you all for any guidance you can provide!