Description | This article describes two case studies in which a Central NAT is used to explicitly disable NAT. In one case, for the same zone with the same VIP rule, security policy and SNAT policy (which is NAT disable), there are two different results. |
Scope | FortiGate. |
Solution |
In this first case study, the traffic is described with the following parameters:
Case study 1:
Src 192.168.184.10 (vlan TRANSFER_VLAN1, zone TRANSFER) Dst, which is DNAT policy 1.1.1.1 ->192.168.185.10 (vlan TRANSFER_VLAN2, zone TRANSFER)
In case study 2, the traffic is described with the following parameters:
Case study 2:
Src 192.168.183.10 (vlan TRANSFER_VLAN2, zone TRANSFER) Dst, which is DNAT policy 1.1.1.1 ->192.168.185.10 (vlan TRANSFER_VLAN2, zone TRANSFER)
Related configuration to the case for both case studies:
Related configuration:
edit "DNAT-VIP" set extip 1.1.1.1 set mappedip "192.168.185.10" set arp-reply disable next config firewall central-snat-map edit 52 set srcintf "TRANSFER" set dstintf "TRANSFER" set orig-addr "all" set dst-addr "all" set nat disable next
config firewall security-policy edit 59 set srcintf "TRANSFER" set dstintf "TRANSFER" set srcaddr "all" set dstaddr "all" set service "ALL" set action accept set schedule "always" next
The debug flow for case study 1:
trace_id=2 func=print_pkt_detail line=5824 msg="vd-PRODUCTION:0 received a packet(proto=1, 192.168.184.10:1->1.1.1.1:2048) tun_id=0.0.0.0 from TRANSFER_VLAN1. type=8, code=0, id=1, seq=858." trace_id=2 func=get_new_addr line=1205 msg="find DNAT: IP-192.168.185.10, port-0(fixed port)" trace_id=2 func=__iprope_check_one_dnat_policy line=5231 msg="matched policy-198, act=accept, vip=198, flag=104, sflag=2000000" trace_id=2 func=iprope_fwd_check line=766 msg="in-[TRANSFER_VLAN1], out-[TRANSFER_VLAN2], skb_flags-020000c0, vid-198, app_id: 24466, url_cat_id: 0" trace_id=2 func=__iprope_check_one_policy line=2243 msg="policy-3 is matched, act-accept" trace_id=2 func=iprope_central_nat_check line=1307 msg="in-[TRANSFER_VLAN1], out-[TRANSFER_VLAN2], skb_flags-020000c0, vid-198" trace_id=2 func=__iprope_check_one_policy line=2243 msg="policy-52 is matched, act-accept" trace_id=2 func=fw_snat_check line=673 msg="NAT disabled by central SNAT policy!"
From the session list:
orgin->sink: org pre->post, reply pre->post dev=22->21/21->22 gwy=192.168.255.3/0.0.0.0 hook=pre dir=org act=dnat 192.168.184.10:1->1.1.1.1:8(192.168.185.10:1) hook=post dir=reply act=snat 192.168.185.10:1->192.168.184.10:0(1.1.1.1:1) hook=post dir=org act=noop 192.168.184.10:1->192.168.185.10:8(0.0.0.0:0) misc=0 policy_id=3 pol_uuid_idx=1105 auth_info=0 chk_client_info=0 vd=1
The debug flow for case study 2:
trace_id=155 func=print_pkt_detail line=5824 msg="vd-PRODUCTION:0 received a packet(proto=1, 192.168.183.10:1->1.1.1.1:2048) tun_id=0.0.0.0 from TRANSFER_VLAN2. type=8, code=0, id=1, seq=522." trace_id=155 func=get_new_addr line=1205 msg="find DNAT: IP-192.168.185.10, port-0(fixed port)" trace_id=155 func=__iprope_check_one_dnat_policy line=5231 msg="matched policy-198, act=accept, vip=198, flag=104, sflag=2000000" trace_id=155 func=iprope_fwd_check line=766 msg="in-[TRANSFER_VLAN2], out-[TRANSFER_VLAN2], skb_flags-020000c0, vid-198, app_id: 24466, url_cat_id: 0" trace_id=155 func=__iprope_check_one_policy line=2243 msg="policy-3 is matched, act-accept" trace_id=155 func=iprope_reverse_dnat_check line=1284 msg="in-[TRANSFER_VLAN2], out-[TRANSFER_VLAN2], skb_flags-020000c0, vid-198" trace_id=155 func=__iprope_check_one_policy line=2243 msg="policy-52 is matched, act-accept" trace_id=155 func=fw_snat_check line=673 msg="NAT disabled by central SNAT policy!" trace_id=155 func=fw_strict_dirty_session_check line=287 msg="SNAT mismatch policy 3 (old nat 1 ! = new nat 0), drop" From the session list: orgin->sink: org pre->post, reply pre->post dev=21->21/21->21 gwy=192.168.255.3/0.0.0.0 hook=pre dir=org act=dnat 192.168.183.10:1->1.1.1.1:8(192.168.185.10:1) hook=post dir=org act=snat 192.168.183.10:1->192.168.185.10:8(192.168.255.1:60418) hook=pre dir=reply act=dnat 192.168.185.10:60418->192.168.255.1:0(192.168.183.10:1) hook=post dir=reply act=snat 192.168.185.10:1->192.168.183.10:0(1.1.1.1:1)
In case study 2, note the extra line:
trace_id=155 func=fw_strict_dirty_session_check line=287 msg="SNAT mismatch policy 3 (old nat 1 ! = new nat 0), drop"
The traffic is processed with SNAT even though SNAT policy 52 disables NAT.
The solution:
As the traffic originates from the same VLAN to the same VLAN traffic TRANSFER_VLAN2 -> TRANSFER_VLAN2, this would be considered a hair pin NAT. When the traffic enters and leaves the FortiGate through the same interface, the FortiGate automatically performs SNAT, regardless of what is configured in the NAT policies. TRANSFER_VLAN2 belongs to the zone TRANSFER, and in case study 1, the SNAT policy 52 is working as the traffic is coming from the interface TRANSFER_VLAN1 to the interface TRANSFER_VLAN2, regardless of the SNAT rule being defined by the source zone TRANSFER to the destination zone TRANSFER.
In order to fix this issue, use the following command:
config system setting set snat-hairpin-traffic disable end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.