VIP NAT Not Working

Forum|Forum|9 years ago
July 24, 2016
1 reply
10034 views

Hello Everyone,

I'm new to the Fortigate 300c HA but slowly getting the hang of it.

I have a Internal Network connected to the Fortigate via GRE/BGP. The webserver (10.0.0.2) can ping the Fortigates GRE IP (172.0.0.2) and the Fortigate can ping the webserver.

I have routed internet traffic to go via the Fortigate to the internet. I want the private IP (10.x.x.x) address to turn into a public IP (168.x.x.2) and visa versa but it doesn't work.

The VIP configuration is:

config firewall vip edit "Test" set uuid e76358ee-5067-51e6-fbfa-27942f3c0371 set extip 168.x.x.2 set extintf "any" set nat-source-vip enable set mappedip "10.0.0.2" next end

The Firewall configuration is:

config firewall policy edit 6 set uuid 42cc3654-4fb1-51e6-5ffd-bcf47c310aa6 set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next end

I did a flow debug before and saw that the ping is going, Server -> GW -> Firewall -> Internet but it doesn't apply the NAT and the packet stays as 10.0.0.2

If I turn on NAT Masquerade it works but with the Firewall IP not the VIP IP.

Any help is greatly appreciated.

Regards,

Anthony

Nils

New Member

VIP is Destination NAT.

To use source NAT use IP-Pool in the policy.

Create a IP-Pool object with the desired IP address and use it in the policy for Source NAT.

ede_pfau

SuperUser

hi,

and welcome to the forums.

Nilsan is of course correct, you will want to change the (private) source address to a public one. And source NAT is done with 'IP pools' in FortiOS.

Apparently, you have more than one public IP address, otherwise you could just use the FGT's WAN IP by checking "static NAT" in the outgoing policy.

Actually, you were very close. If you use a VIP for destination NAT, traffic originating from the mapped-to server is source NATted automatically as a convenience. You only missed to actually use the VIP in the policy - as the destination address. It doesn't suffice to define a VIP, you have to 'activate' it by using it in a policy. But source NAT still is the way to go here.

As a good advice, please try to not use 'any' as an interface. Traffic flow is very obscure then, debugging can be a nightmare. There are very rare circumstances which merit this construct IMHO. Try to be as specific as you can with interfaces and addresses, this will make control much more predictable. Same applies to a VIP definition - usually you know which interface traffic is supposed to come in.

Anton2079Author

New Member

Hello Nilsan and Ede,

Thank you for your help. It has fixed both problems!

Regards,

Anthony Wales

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded