Description
Solution
The use of VIP addresses is usually done to map external (public) to internal (private) IP addresses for Destination NAT (DNAT).
VIP is also used for outbound traffic translation with a static one to one mapping from internal to external IP (SNAT).
This article describes the proper configuration with multiple VIP mapped to the same internal IP. In this article Firewall policies are configured with source and destination interfaces “any”. Therefore VIPs are configured with external interface “any”. In such context, the FortiGate may apply the wrong VIP for SNAT resulting in connectivity issue.
VIP is also used for outbound traffic translation with a static one to one mapping from internal to external IP (SNAT).
This article describes the proper configuration with multiple VIP mapped to the same internal IP. In this article Firewall policies are configured with source and destination interfaces “any”. Therefore VIPs are configured with external interface “any”. In such context, the FortiGate may apply the wrong VIP for SNAT resulting in connectivity issue.
Solution
Diagram
Required behavior and potential issue
Traffic toward Internet: Associate internal IP with the external IP of the VIP-172.31.17.238.
Traffic toward VM26: Associate a fix mapping of internal IP to external IP of the VIP-1.1.1.0-24.
Traffic going to 160.0.0.1 is translated with 1.1.1.2 as expected.
Traffic going to Internet (8.8.8.8) is also translated with 1.1.1.2 which is not expected and causes Internet connectivity issue.
Configuration (relevant parts)
VIP : srcintf-filter must be set to the proper external interface to prevent the issue.
Firewall policies
Verification
The translation can be verified in the session table:
Traffic going to 160.0.0.1 is translated with 1.1.1.2 as expected.
Traffic going to Internet (8.8.8.8) is translated with 172.31.17.238 as expected.
Required behavior and potential issue
Traffic toward Internet: Associate internal IP with the external IP of the VIP-172.31.17.238.
Traffic toward VM26: Associate a fix mapping of internal IP to external IP of the VIP-1.1.1.0-24.
Source IP | Destination IP | Translated IPIn the case of mis-configuration the following could occur:
172.30.30.2 Internet 172.31.17.238
172.30.30.2 160.0.0.0/8 1.1.1.2
172.30.30.3 160.0.0.0/8 1.1.1.3
(…)
172.30.30.254 160.0.0.0/8 1.1.1.254
FGT # get sys session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
icmp 7 172.30.30.2:4238 1.1.1.2:4238 160.0.0.1:8
icmp 59 172.30.30.2:4247 1.1.1.2:4247 8.8.8.8:8
Traffic going to 160.0.0.1 is translated with 1.1.1.2 as expected.
Traffic going to Internet (8.8.8.8) is also translated with 1.1.1.2 which is not expected and causes Internet connectivity issue.
Configuration (relevant parts)
VIP : srcintf-filter must be set to the proper external interface to prevent the issue.
config firewall vip
edit "VIP-1.1.1.0-24"
set uuid 51944978-6e67-51e5-8e57-a7ead026b0d2
set extip 1.1.1.0-1.1.1.255
set extintf "any"
set srcintf-filter "port3"
set mappedip "172.30.30.0-172.30.30.255"
next
edit "VIP-172.31.17.238"
set uuid 7f8a86f8-6e67-51e5-e59b-a97f9ae1973c
set extip 172.31.17.238
set extintf "any"
set srcintf-filter "port4"
set mappedip "172.30.30.2"
next
end
Firewall policies
config firewall policy
edit 6
set uuid 063d0846-6b5d-51e5-8435-10c0987913cc
set srcintf "any"
set dstintf "any"
set srcaddr "160.0.0.0-8"
set dstaddr "VIP-1.1.1.0-24"
set action accept
set schedule "always"
set service "ALL"
next
edit 5
set uuid 3e27056a-6b47-51e5-9ba9-085cbfb0c040
set srcintf "any"
set dstintf "any"
set srcaddr "172.30.30.0-24"
set dstaddr "160.0.0.0-8"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 7
set uuid a16c054e-6e67-51e5-3bf4-19b25c3782be
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "VIP-172.31.17.238"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set uuid 117535a0-6e67-51e5-7705-3cfb33050c2b
set srcintf "any"
set dstintf "any"
set srcaddr "172.30.30.0-24"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Verification
The translation can be verified in the session table:
FGT # get sys session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
icmp 59 172.30.30.2:4284 1.1.1.2:4284 160.0.0.1:8 -
icmp 45 172.30.30.2:4283 172.31.17.238:4283 8.8.8.8:8 -
Traffic going to 160.0.0.1 is translated with 1.1.1.2 as expected.
Traffic going to Internet (8.8.8.8) is translated with 172.31.17.238 as expected.
Related Articles
