Technical Tip: Inter-VDOM VIP - Single NAT

jiahoong112 · ‎10-17-2022

Description

This article describes how to set up a Single NAT VIP on the Inter-VDOM link. This is for cases where 1 VDOM has Internet access and the other VDOM does not have Internet access.

Scope

FortiGate 6.0.x, 6.2.x, 6.4.x, 7.0.x 7.2.x - Single NAT.

Solution

Topology:

INET_VDOM -> Internet facing VDOM

LAN_VDOM -> VDOM with no Internet; LAN VDOM.

Goal:

The result wanted is to reach the internal-LAN IP (10.177.3.1) from the External IP (10.47.19.1).

Create a VIP object on the Internet-facing VDOM, vipA: 10.47.19.1 -> 10.177.3.1. This VIP directly maps the external IP to the internal-LAN IP.

INET_VDOM (Internet facing vdom) configuration:

Interface:

VIP Object:

Firewall Policy:

Static Route:

LAN_VDOM (Non-Internet facing vdom) configuration:

Interface:

Firewall Policy:

Static Route:

Result:

This is how the Session Table should look like.

Session Table Filters used:

# diag sys session filter ext-dst 10.47.19.1 -> (wan ip)
# diag sys session filter ext-dst 10.177.3.1 -> (internal ip)

# diag sys session list

In this screenshot, 10.111.36.200 is the IP pinging the WAN IP of INET_VDOM.