Description
This article describes how to set up port translation (port forwarding) by using Virtual IPs without modifying an IP address.
Scope
FortiOS.
Solution
Starting with FortiOS release 6.0.0: an error message 'Static NAT's extip must be different from mappedip' may occur when configuring a VIP as the static-nat type with the same source and destination IP address, but a different export and mapped port.
Example (FortiOS 5.6.12) – Configure port translation as the static-nat type (the default setting):
show
config firewall vip
edit "testVIP"
set extip 1.1.1.1
set extintf "any"
set portforward enable
set mappedip "1.1.1.1"
set extport 222
set mappedport 22
next
end
Example (FortiOS 6.0.0): it is not possible to configure port translation as a static-nat type (default setting).
show
config firewall vip
edit "testVIP"
set type load-balance
set extip 1.1.1.1
set extintf "any"
set portforward enable
set mappedip "1.1.1.1"
set extport 222
set mappedport 22
next
end
FortiGate6_0_0 (testVIP) next
Static NAT's extip should be different from mappedip.
object check operator error, -8, discard the setting
Command fail. Return code 1
When the FortiGate VIP is set to the 'load-balance' type, the same settings will be allowed:
config firewall vip
edit " testVIP "
set type load-balance
set extip 1.1.1.1
set arp-reply disable
set extintf "any"
set portforward enable
set mappedip "1.1.1.1"
set extport 222
set mappedport 22
next
end
A firewall policy will be needed with a VIP created above in the destination field as follows:
config firewall policy
edit 1
set srcintf "internal" <- The internal interface, or 'ANY' if transferring it from all interfaces.
set dstintf "WAN" <- The WAN interface.
set action accept
set srcaddr "all"
set dstaddr "testVIP" <- The VIP created above. Attach it here.
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable <- NAT should be enabled.
next
end
