Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager

Created on ‎09-29-2021 11:00 PM Edited on ‎01-09-2025 12:03 AM By Staff

Article Id 198209

Technical Tip: DNAT through site to site VPN on one side of tunnel for securing original Destination IP

Description

 

This article describes how to achieve below tasks without doing any changes on the other end vendor firewalls for SNAT and DNAT.

Task 1.

User A: 10.200.10.86 behind FortiGate firewall should be able to ping dummy IP: 10.10.10.1 instead of the remote IP defined in phase 2 selector 10.210.10.84 of FortiGate firewall.

Task 2.

User B: 10.210.10.84 behind vendor firewall should get SNAT to dummy IP: 10.10.10.1 and reach remote IP: 10.200.10.86 defined in phase 2 selector of vendor firewall.

Note.
Here the requirement is to achieve the above tasks 1 and 2 without doing any NATing change on the vendor end firewall.

 

Scope

 

FortiGate.

Solution


Diagram.

Topology:

User A: 10.200.10.86 -> FortiGate Firewall -> IPSEC S2S tunnel -> Other vendor firewall -> User B: 10.210.10.84.

Topology Diagram:


  
  • Create in-out and out-to in Traffic policy on vendor end firewall without doing any DNAT or SNAT changes.

  • Only changes related to DNAT and SNAT will be done on FortiGate end firewall and applied.

  • On FortiGate firewall policies.
 
Task 1.
 
  1. By configuring VIP i.e. DNAT object for dummy IP as external IP: 10.10.10.1 and set internal IP: 10.210.10.84 defined in FortiGate firewall remote selector and,

  2. Then apply this VIP object for in-out policy configured for FortiGate to Other vendor firewall traffic.

Configuring VIP i.e. DNAT object using CLI:

 

config firewall vip

(vip) edit "VIP"

(VIP) # show
config firewall vip
    edit "VIP"
        set uuid 16c5aa6e-0a7c-51ec-eeb6-e4b6871de7a7
        set extip 10.10.10.1
        set mappedip "10.210.10.84"
        set extintf "any"
        set nat-source-vip enable
    next
end

Meaning of set nat-source-vip enable: VIP will be used for SNAT instead of the IP pool. The behavior is the same when the IP address of the physical interface is used and not an IP pool.

Configuring VIP i.e. DNAT object using GUI:

Note.
set nat-source-vip enable option is available only from CLI.

 
 
  1. Now, apply VIP object for in-out policy configured for FortiGate to Other vendor firewall traffic

Applying VIP object named 'VIP' for in-out policy configured for FortiGate using CLI:
 
config firewall policy

(policy) edit 2

show
config firewall policy
    edit 2
        set status enable
        set name "vpn_AZ_local_0"
        set uuid 7cf624d0-0a68-51ec-9c8a-490ad31527b0
        set srcintf "port3"
        set dstintf "AZ"
        set srcaddr "AZ_local"
        set dstaddr "VIP"                           <----- Calling VIP object named 'VIP' in destination for FortiGate firewall to vendor firewall in-out traffic.
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: AZ"
    next
end
 
Applying VIP object named 'VIP' for in-out policy configured for FortiGate using GUI:
 
 
 
Note: 
The route for the IPsec tunnel needs to be configured using the destination Internal IP address for the remote site. Route configuration will not be required for the external IP address for the VIP. 
 
Task 2.
 
  1. By configuring Static NAT (SNAT) with external IP: 10.10.10.1 (dummy IP) and internal IP as: 10.210.10.84 which is defined in IPSEC phase 2 selector configuration.
  2. Then apply this SNAT for out-in policy configured for fortiGATE to Other vendor firewall traffic.
  3. Configuring Static NAT (SNAT) with external IP: 10.10.10.1 (dummy IP) and internal IP as: 10.210.10.84 with CLI:

config firewall ippool

(ippool) edit "SNAT"

(SNAT) # show
config firewall ippool
    edit "SNAT"
        set type fixed-port-range
        set startip 10.10.10.1
        set endip 10.10.10.1
        set source-startip 10.210.10.84
        set source-endip 10.210.10.84
    next
end

 

Configuring Static NAT (SNAT) with external IP: 10.10.10.1 (dummy IP) and internal IP as: 10.210.10.84 with GUI:

 
 
 
 
Applying this SNAT named 'SNAT' for out-in policy configured for FortiGate to Other vendor firewall traffic using CLI:
 
config firewall policy

(policy) edit 3

show
config firewall policy
    edit 3
        set name "vpn_AZ_remote_0"
        set uuid 7d0bcbb4-0a68-51ec-10c4-400bed779369
        set srcintf "AZ"
        set dstintf "port3"
        set srcaddr "AZ_remote"
        set dstaddr "AZ_local"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "SNAT"
        set comments "VPN: AZ"
    next
end
 
Applying this SNAT named 'SNAT' for out-in policy configured for FortiGate to Other vendor firewall traffic using GUI:
 
 
Logs.
Run flow filter logs to check if traffic is going out from policy in-out or not (here policy id is 2 and wan interface for FortiGate firewall is port 1).

diagnose  debug  flow  filter saddr 10.200.10.86
diagnose  debug  flow  filter proto  1
diagnose debug flow show  iprope enable
diagnose  debug  flow  show function-name  enable
diagnose  debug  flow  trace  start 1000
diagnose  debug  enable
 

Output.
LOGIC: Step-by-step traffic flow for TASK 1 solution.

 

  1. When user A: 10.200.10.86 behind fortiGATE firewall ping dummy IP: 10.10.10.1 instead of pinging actual remote IP from phase 2 selector subnet: 10.210.10.84 traffic first hit port 3 (FortiGate firewall LAN interface) and allocate a new session.

    id=20085 trace_id=61 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=1, 10.200.10.86:1->10.10.10.1:2048) from port3. type=8, code=0, id=1, seq=41."
    id=20085 trace_id=61 func=init_ip_session_common line=5894 msg="allocate a new session-000d2315"

  2. After that DNAT will happen:

    id=20085 trace_id=61 func=__ip_session_run_tuple line=3503 msg="DNAT 10.10.10.1: 8->10.210.10.84:1"

  3. Traffic will find route to reach actual destination IP : 10.210.10.84 through tunnel interface 'AZ'.

    id=20085 trace_id=61 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-10.5.20.70 via AZ"

  4. Traffic will be matchd by policy ID 2.

    id=20085 trace_id=61 func=__iprope_check_one_policy line=2159 msg="policy-2 is matched, act-accept"

  5. Encrypted traffic will be sent out from fortigate firewall WAN interface port 1.

    id=20085 trace_id=61 func=ipsec_output_finish line=629 msg="send to 10.5.20.70 via intf-port1"

LOGIC.

Step-by-step traffic flow for TASK 2 solution:

 

diagnose  debug  flow  filter saddr 10.210.10.84
diagnose  debug  flow  filter proto  1
diagnose debug flow show  iprope enable
diagnose  debug  flow  show function-name  enable
diagnose  debug  flow  trace  start 1000
diagnose  debug  enable
 
  1. When user B: 10.210.10.84 behind vendor end firewall ping user A IP : 10.200.10.86, it gets translated into dummy IP: 10.10.10.1, and user A will get a ping request from 10.10.10.1 instead of actual IP of user by traffic first hit tunnel interface port AZ (FortiGate firewall tunnel interface) and allocate a new session.

    id=20085 trace_id=57 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=1, 10.210.10.84:1->10.200.10.86:2048) from AZ. type=8, code=0, id=1, seq=70."
    id=20085 trace_id=57 func=init_ip_session_common line=5894 msg="allocate a new session-000ca471"

  2. Routing lookup will happen for destination IP : 10.200.10.86 and it found a route to reach the destination: 10.200.10.86 via port 3 i.e. FortiGate firewall LAN interface.

    id=20085 trace_id=57 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.200.10.86 via port3"

  3. Traffic is allowed by policy ID 3.

    id=20085 trace_id=57 func=__iprope_check_one_policy line=1941 msg="checked gnum-100004 policy-3, ret-matched, act-accept"

  4. SNAT happened for user B source IP from SNAT IP pool 'SNAT':

    id=20085 trace_id=57 func=get_new_addr line=1132 msg="find SNAT: IP-10.10.10.1(from IPPOOL:SNAT)"

    id=20085 trace_id=57 func=__ip_session_run_tuple line=3489 msg="SNAT 10.210.10.84->10.10.10.1:1"

  5. Traffic is now being sent from FortiGate firewall port 3 (LAN port) to user A IP:

    id=20085 trace_id=57 func=ipd_post_route_handler line=490 msg="out port3 vwl_zone_id 0, state2 0x1, quality 0."

Related Document:
Packet flow ingress and egress: FortiGates without network processor offloading

 
Recommendation: Once this solution is implemented TAC recommendation is to clear the session for existing IP segment using the below document :
 
Note:
This example uses an ip pool for SNAT, this can be achieve with using 'nat-source-vip' enable alone from the VIP object configuration: Technical Tip: Using VIP with specific phase2 selectors for bidirectional traffic requirements
Labels:
9890
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.