Technical Tip: How to use VIP's External IP Address for Source NAT when Central NAT is Enabled

vpalli · ‎04-18-2022

Description

This article demonstrates how a VIP's external IP address can be used to perform Source NAT (SNAT) when Central-NAT is enabled. The use of Virtual IP addresses is usually done to map external (public) to internal (private) IP addresses for Destination NAT (DNAT).

Scope

FortiGate.

Solution

Topology:

HOST <----->(LAN) FortiGate(WAN)< –----> Internet.

SNAT with VIP and Central-NAT enabled:

CLI configuration:

CLI config for Central NAT.

config system settings
set central-nat enable
end

Address object of the HOST.

config firewall address
    edit "HOST"
        set subnet 10.185.3.199 255.255.255.255
    next
end
A firewall policy to allow Internet access for the HOST.

config firewall policy
    edit 1
        set srcintf "lan"
        set dstintf "wan"
        set srcaddr "HOST"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
Central SNAT Rule to NAT traffic using outgoing interface address or an IP Pool.

config firewall central-snat-map
    edit 1
        set orig-addr "HOST"
        set srcintf "lan"
        set dst-addr "all"
        set dstintf "wan"
    next
end

IMPORTANT: With Central SNAT, 'nat-source-vip' must be enabled at all times for FortiGate to perform Source NAT using VIP's External IP address for the traffic generated by the HOST.

config firewall vip
    edit "VIP"
        set extip 20.1.2.3
        set extintf "wan"
        set nat-source-vip enable
        set srcintf-filter "lan"
        set mappedip "10.185.3.199"
    next
end

Debug Log Verification:

id=20085 trace_id=1132 func=fw_forward_handler line=749 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=1132 func=__ip_session_run_tuple line=3226 msg="SNAT 10.185.3.199->20.1.2.3:1"

Sniffer result:

4.682034 lan in 10.185.3.199 -> 8.8.8.8: icmp: echo request
4.682148 wan1 out 20.1.2.3 -> 8.8.8.8: icmp: echo request

Note:
When port-forwarding is enabled on the VIP.
VIP's external IP will be used for SNAT only when the source port of the HOST-generated traffic falls in the port range configured for VIP.

Example 1:
When a port-forwarding VIP is created to translate TCP port 80 to 80 and if the HOST is generating TCP traffic with a dynamic source port, then the SNAT will be performed using outgoing interface IP and NOT VIP external IP.
[10.185.3.199:62189->8.8.8.8:80] - SNAT will be performed with outgoing Interface IP.

Example 2:
When a port-forwarding VIP is created to translate TCP ports 1-65535 to 1-65535 and if the HOST generates TCP traffic with a dynamic source port, then the SNAT will be performed using the VIP's external IP address.
[10.185.3.199:62189->8.8.8.8:80] - SNAT will be performed with VIP's External IP.

Example 3:
When a port-forwarding VIP is created to translate TCP ports 1-65535 to 1-65535 and if the HOST generates UDP traffic, then the SNAT will be performed using outgoing interface IP and NOT VIP external IP.
[10.185.3.199:62189->8.8.8.8:53] - SNAT will be performed with outgoing Interface IP.

Related Articles:
Technical Note: How to resolve SNAT issue with multiple VIP mapped to the same internal IPTechnical Tip: Using VIP range for SNAT and static 1-to-1 mapping from internal to external IP addre...
Troubleshooting Tip: SNAT in a Policy with VIP