Technical Tip: How to access VIP from LAN machine with a hairpin NAT through the GUI

Description

This article describes how to set up a hairpin NAT through the GUI to access a resource behind the firewall from a machine in the same network as the target destination.
In this example, the machine sends an access request to the public IP to access an internal resource.

Scope

Fortigate v6.4.0 onwards.

Solution

Users may want to access a web page hosted on a server in the same LAN network using a VIP on the firewall. In the following example:

• The firewall has Internet access through port2.
• The LAN machine (10.146.14.19) is behind port3.
• The server (10.5.63.199) behind port3 is reachable, assuming that public IP is 14.14.46.152 (WAN Interface IP or Public IP pool can be used)

1. Configure the VIP as per requirements.
   
   Go to Policy&Object -> Virtual IPs -> Create New.
   
   Name: Define the name.
   Interface: Configure it as any.
   External IP: The IP address or address range on the external interface that will map to an address or address range on the destination network. (The public IP in this scenario.)
   Mapped IP: The IP address or address range on the destination network to which the external IP address is mapped. (The server IP in this Scenario.)

2. Configure the Firewall Policy for the VIP.
   
   

   Go to Policy & Object -> Firewall Policy -> Create New.

   
   Incoming Interface: The LAN interface through which the client is reachable (port3).
   Destination Interface: The LAN interface through which the server is reachable (port3) (If the server resides behind any other interface, use that interface.)
   Source: The LAN subnet/host.
   Destination: Call the VIP.
   Security Profiles: Apply as per requirements.

Troubleshooting:

Apply flow filter to check the traffic flow:

diagnose debug flow filter saddr 10.146.14.19

diagnose debug flow filter daddr 14.14.46.152

diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000

diagnose debug enable

Access the Server as per requirements. In this scenario, a site is hosted at https://14.14.46.152:443.

id=65308 trace_id=628 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 10.146.14.19:54049->14.14.46.152:443) tun_id=0.0.0.0 from port3. flag [S], seq 300068082, ack 0, win 64240"
id=65308 trace_id=628 func=init_ip_session_common line=6028 msg="allocate a new session-00cec3d3, tun_id=0.0.0.0"
id=65308 trace_id=628 func=iprope_dnat_check line=5303 msg="in-[port3], out-[]"
id=65308 trace_id=628 func=iprope_dnat_tree_check line=824 msg="len=1"
id=65308 trace_id=628 func=__iprope_check_one_dnat_policy line=5168 msg="checking gnum-100000 policy-1"
id=65308 trace_id=628 func=get_new_addr line=1239 msg="find DNAT: IP-10.146.15.199, port-443"
id=65308 trace_id=628 func=__iprope_check_one_dnat_policy line=5258 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000"
id=65308 trace_id=628 func=iprope_dnat_check line=5315 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100"
id=65308 trace_id=628 func=fw_pre_route_handler line=184 msg="VIP-10.146.15.199:443, outdev-unknown"
id=65308 trace_id=628 func=__ip_session_run_tuple line=3435 msg="DNAT 14.14.46.152:443->10.146.15.199:443"
id=65308 trace_id=628 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"
id=65308 trace_id=628 func=iprope_fwd_check line=794 msg="in-[port3], out-[port3], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=628 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-3, ret-no-match, act-accept"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-2, ret-matched, act-accept"
id=65308 trace_id=628 func=__iprope_user_identity_check line=1833 msg="ret-matched"
id=65308 trace_id=628 func=__iprope_check line=2307 msg="gnum-4e21, check-00000000be4a65b6"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
id=65308 trace_id=628 func=__iprope_check line=2324 msg="gnum-4e21 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2277 msg="policy-2 is matched, act-accept"
id=65308 trace_id=628 func=iprope_fwd_check line=831 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2"
id=65308 trace_id=628 func=iprope_fwd_auth_check line=850 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2"
id=65308 trace_id=628 func=fw_forward_handler line=1000 msg="Allowed by Policy-2: SNAT"
id=65308 trace_id=628 func=ip_session_confirm_final line=3087 msg="npu_state=0x101, hook=4"
id=65308 trace_id=628 func=__ip_session_run_tuple line=3422 msg="SNAT 10.146.14.19->10.146.2.239:54049"