FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff
Staff
Article Id 189947

Description

 

This article describes how a VIP's external IP address can be used to perform Source NAT (SNAT) when Central NAT is disabledThe use of Virtual IP addresses is usually done to map external (public) to internal (private) IP addresses for Destination NAT (DNAT).

 

Scope

 

FortiGate.


Solution

 
Topology:
HOST <-----> FGT <–----> Internet
 
SNAT with VIP and Central-NAT disabled:

CLI configuration:
 
  1. Create a Firewall Policy to allow Internet access for the HOST. Enable SNAT on this firewall policy.
 
config firewall policy
    edit 1
        set srcintf "lan"
        set dstintf "wan"
        set srcaddr "HOST"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
 
  1. The VIP entry must be referenced in at least one firewall policy in order to use VIP's external IP for performing SNAT.
 
edit 2
     set name "activate vip"
     set srcintf "wan"
     set dstintf "lan"
     set srcaddr "all"
     set dstaddr "VIP"
     set action accept
     set schedule "always"
     set service "ALL"
     set logtraffic disable
     set comments "Used only to activate Source NAT for HOST"
    next
end

config firewall vip
    edit "VIP"
        set extintf "wan"
        set nat-source-vip enable
        set mappedip "10.185.3.199"
    next
end

config firewall address
    edit "HOST"
        set subnet 10.185.3.199 255.255.255.255
    next
end

 
Note:
  • Firewall policy #2 will activate the VIP so that its external IP address can be used to perform SNAT when the HOST generates traffic towards the Internet.
  • Internet Traffic from the HOST will be allowed by firewall policy #1 for SNAT with VIP's external IP address.
 
The logic of how the SNAT is applied when VIP is involved is explained below:
 
  1. Reverse SNAT according to the VIP if nat-source-vip enabled; otherwise
  2. ippool specified in the policy (LAN to WAN policy).
  3. Reverse SNAT according to the VIP if nat-source-vip is disabled.
  4. IP of the outgoing interface.

Important notes:
 
  • When port-forwarding is disabled on the VIP and Source NAT with Outgoing Interface Address is enabled on Firewall Policy#1, irrespective of the 'nat-source-vip' setting, traffic matching firewall policy #1 will be NAT Sourced with the VIP's external IP address instead of the outgoing physical interface IP address.

    Debug log verification:
     
    id=20085 trace_id=1125 func=fw_forward_handler line=749 msg="Allowed by Policy-1: SNAT"
    id=20085 trace_id=1125 func=__ip_session_run_tuple line=3226 msg="SNAT 10.185.3.199->20.1.2.3:65324"
     
    Sniffer result:
     
    16.430250 lan in 10.185.3.199 -> 8.8.8.8: icmp: echo request
    16.430348 wan out 20.1.2.3 -> 8.8.8.8: icmp: echo request

     
  • When port-forwarding is disabled on the VIP and Source NAT with IP Pool is enabled on Firewall Policy#1, the 'set nat-source-vip enable must be enabled on the VIP configuration in order for FortiGate to perform SNAT using VIP's external IP address instead of the IP Pool in the policy.

  • When port-forwarding is enabled on the VIP, the 'nat-source-vip' setting must be enabled and VIP's external IP will be used for SNAT only when the source port of the HOST-generated traffic falls in the port range configured for VIP.

Example 1:
When a port-forwarding VIP is created to translate TCP port 80 to 80 and if the HOST is generating TCP traffic with a dynamic source port, then the SNAT will be performed using outgoing interface IP and NOT VIP external IP. 

[10.185.3.199:62189->8.8.8.8:80] - SNAT will be performed with outgoing Interface IP.
 
Example 2:
When a port-forwarding VIP is created to translate TCP ports 1-65535 to 1-65535 and if the HOST generates TCP traffic with a dynamic source port, then the SNAT will be performed using VIP's external IP address.

[10.185.3.199:62189->8.8.8.8:80] - SNAT will be performed with VIP's External IP.
 
Example 3:
When a port-forwarding VIP is created to translate TCP ports 1-65535 to 1-65535 and if the HOST generates UDP traffic, then the SNAT will be performed using outgoing interface IP and NOT VIP external IP. 
 
[10.185.3.199:62189->8.8.8.8:53] - SNAT will be performed with outgoing Interface IP.