FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rpillai
Staff
Staff

Description

This article describes how to port forward traffic if the host is behind a VDOM without Internet Access.


Scope

FortiGate 5.2, FortiGate 5.4, FortiGate 5.6 - Single NAT


Solution

This article assumes that the inter-vdom link and policies have already been configured and that the host behind VDOM-A can reach the Internet.

rpillai_FD39278_tn_FD39278-1.jpg

VIP object: 192.168.13.24 mapping to 192.168.25.2

rpillai_FD39278_tn_FD39278-2.jpg

Policy from wan to Inter-vdom link:

rpillai_FD39278_tn_FD39278-3.jpg
 
Additional Step: Add a Static Route for the inter-vdom link (root-VDOMA0) to the Mapped IP here, 192.168.25.2. It is possible to leave the gateway as 0.0.0.0 or set it as the IP of the inter-vdom link (root-VDOMA1).

Policy configuration on VDOM-A:

rpillai_FD39278_tn_FD39278-4.jpg
 
Additional Step: Add a Static Route for the inter-vdom link (root-VDOMA1) to 0.0.0.0. It is possible to leave the gateway as 0.0.0.0 or set it as the IP of the inter-vdom link (root-VDOMA0).

Packet Flow:
 
FGVM000000045972 (root) # 2016-08-31 12:44:36 id=20085 trace_id=20 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=6, 192.168.13.102:51981->192.168.13.24:3389) from port1. flag [S], seq 1090537097, ack 0, win 8192"
2016-08-31 12:44:36 id=20085 trace_id=20 func=init_ip_session_common line=4868 msg="allocate a new session-005bce00"
2016-08-31 12:44:36 id=20085 trace_id=20 func=fw_pre_route_handler line=182 msg="VIP-192.168.25.2:3389, outdev-port1"
2016-08-31 12:44:36 id=20085 trace_id=20 func=__ip_session_run_tuple line=2769 msg="DNAT 192.168.13.24:3389->192.168.25.2:3389"
2016-08-31 12:44:36 id=20085 trace_id=20 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-192.168.25.2 via root-VDOMA0"
2016-08-31 12:44:36 id=20085 trace_id=20 func=fw_forward_handler line=698 msg="Allowed by Policy-9:"   //This is the 'Policy for VIP'
2016-08-31 12:44:36 id=20085 trace_id=21 func=print_pkt_detail line=4717 msg="vd-VDOM-A received a packet(proto=6, 192.168.13.102:51981->192.168.25.2:3389) from root-VDOMA1. flag [S], seq 1090537097, ack 0, win 8192"
2016-08-31 12:44:36 id=20085 trace_id=21 func=init_ip_session_common line=4868 msg="allocate a new session-005bce01"
2016-08-31 12:44:36 id=20085 trace_id=21 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-192.168.25.2 via port6"
2016-08-31 12:44:36 id=20085 trace_id=21 func=fw_forward_handler line=698 msg="Allowed by Policy-1:" //This is the 'Incoming Policy'
2016-08-31 12:44:36 id=20085 trace_id=22 func=print_pkt_detail line=4717 msg="vd-VDOM-A received a packet(proto=6, 192.168.25.2:3389->192.168.13.102:51981) from port6. flag [S.], seq 1320276989, ack 1090537098, win 8192"
2016-08-31 12:44:36 id=20085 trace_id=22 func=resolve_ip_tuple_fast line=4781 msg="Find an existing session, id-005bce01, reply direction"
2016-08-31 12:44:36 id=20085 trace_id=22 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-192.168.13.102 via root-VDOMA1"