FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Description
The use of VIP addresses is usually done to map external (public) to internal (private) IP addresses for Destination NAT (DNAT).

VIP is also used for outbound traffic translation with a static one to one mapping from internal to external IP (SNAT).

This article describes the proper configuration with multiple VIP mapped to the same internal IP.  In this article Firewall policies are configured with source and destination interfaces “any”.  Therefore VIPs are configured with external interface “any”.  In such context, the FortiGate may apply the wrong VIP for SNAT resulting in connectivity issue.

Solution
Diagram
nvisentin_FD37406_tn_FD37406-1.jpg

Required behavior and potential issue

Traffic toward Internet: Associate internal IP with the external IP of the VIP-172.31.17.238.

Traffic toward VM26: Associate a fix mapping of internal IP to external IP of the VIP-1.1.1.0-24.
Source IP | Destination IP | Translated IP
172.30.30.2   Internet        172.31.17.238
172.30.30.2   160.0.0.0/8     1.1.1.2
172.30.30.3   160.0.0.0/8     1.1.1.3
(…)
172.30.30.254 160.0.0.0/8     1.1.1.254
In the case of mis-configuration the following could occur:
FGT # get sys session list
PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT
icmp    7      172.30.30.2:4238 1.1.1.2:4238     160.0.0.1:8
icmp    59     172.30.30.2:4247 1.1.1.2:4247     8.8.8.8:8 

Traffic going to 160.0.0.1 is translated with 1.1.1.2 as expected.

Traffic going to Internet (8.8.8.8) is also translated with 1.1.1.2 which is not expected and causes Internet connectivity issue.

Configuration (relevant parts)

VIP : srcintf-filter must be set to the proper external interface to prevent the issue.
config firewall vip
    edit "VIP-1.1.1.0-24"
        set uuid 51944978-6e67-51e5-8e57-a7ead026b0d2
        set extip 1.1.1.0-1.1.1.255
        set extintf "any"
        set srcintf-filter "port3"
        set mappedip "172.30.30.0-172.30.30.255"
    next
    edit "VIP-172.31.17.238"
        set uuid 7f8a86f8-6e67-51e5-e59b-a97f9ae1973c
        set extip 172.31.17.238
        set extintf "any"
        set srcintf-filter "port4"
        set mappedip "172.30.30.2"
    next
end

Firewall policies
config firewall policy
    edit 6
        set uuid 063d0846-6b5d-51e5-8435-10c0987913cc
        set srcintf "any"
        set dstintf "any"
        set srcaddr "160.0.0.0-8"
        set dstaddr "VIP-1.1.1.0-24"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 5
        set uuid 3e27056a-6b47-51e5-9ba9-085cbfb0c040
        set srcintf "any"
        set dstintf "any"
        set srcaddr "172.30.30.0-24"
        set dstaddr "160.0.0.0-8"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 7
        set uuid a16c054e-6e67-51e5-3bf4-19b25c3782be
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "VIP-172.31.17.238"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 4
        set uuid 117535a0-6e67-51e5-7705-3cfb33050c2b
        set srcintf "any"
        set dstintf "any"
        set srcaddr "172.30.30.0-24"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Verification

The translation can be verified in the session table:
FGT # get sys session list
PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT
icmp    59     172.30.30.2:4284 1.1.1.2:4284     160.0.0.1:8      -
icmp    45     172.30.30.2:4283 172.31.17.238:4283 8.8.8.8:8        -

Traffic going to 160.0.0.1 is translated with 1.1.1.2 as expected.

Traffic going to Internet (8.8.8.8) is translated with 172.31.17.238 as expected.

Related Articles

Technical Tip: Using VIP range for SNAT and static 1-to-1 mapping from internal to external IP addre...

Contributors