Technical Tip: NAT hairpin configuration with all traffic being source Natted with the VIP of the server (public IP)

Internal servers (PC1:172.17.11.1 and PC2:172.17.11.2) are DNATed and reachable through VIPs configured on the external interface of the FortiGate (toPC1:10.100.1.11, toPC2:10.100.1.12).

Network topology:

internal subnet --172.17.11.0/24 ---port1(.254) FGT port2(.1) ---- 10.100.1.x ---- external subnet

Version: FortiGate-VM64-KVM v7.2.0,build1157,220331 (GA.F)
IP=172.17.11.254->172.17.11.254/255.255.255.0 index=3 devname=port1 (internal subnet)
IP=10.100.1.1->10.100.1.1/255.255.255.0 index=4 devname=port2 (external subnet)

Configuration details:

config system settings
    set central-nat enable
end

config firewall address
    edit "PC1"
        set subnet 172.17.11.1 255.255.255.255
    next
    edit "PC2"
        set subnet 172.17.11.2 255.255.255.255
    next
        config firewall ippool
            edit "pc1pool"
                set type one-to-one
                set startip 10.100.1.11
                set endip 10.100.1.11
            next
            edit "pc2pool"
                set type one-to-one
                set startip 10.100.1.12
                set endip 10.100.1.12
            next
        end
        config firewall central-snat-map
            edit 2
                set srcintf "port1"
                set dstintf "any"
                set orig-addr "PC1"
                set dst-addr "all"
                set nat-ippool "pc1pool"
            next
            edit 3
                set srcintf "port1"
                set dstintf "any"
                set orig-addr "PC2"
                set dst-addr "all"
                set nat-ippool "pc2pool"
            next
        end
        config firewall VIP
            edit "toPC1"
                set extip 10.100.1.11
                set mappedip "172.17.11.1"
                set extintf "any"
            next
            edit "toPC2"
                set extip 10.100.1.12
                set mappedip "172.17.11.2"
                set extintf "any"
            next
        end
        config firewall policy
            edit 3
                set srcintf "any"
                set dstintf "port1"
                set action accept
                set srcaddr "all"
                set dstaddr "PC2"
                set schedule "always"
                set service "ALL"
            next
            edit 4
                set srcintf "any"
                set dstintf "port1"
                set action accept
                set srcaddr "all"
                set dstaddr "PC1"
                set schedule "always"
                set service "ALL"
            next
            edit 5
                set srcintf "port1"
                set dstintf "port2"
                set action accept
                set srcaddr "all"
                set dstaddr "all"
                set schedule "always"
                set service "ALL"
            next
end

Results:

Ping to PC2 (internal IP):

2023-09-20 05:59:37.411887 port1 in 172.17.11.1 -> 10.100.1.12: icmp: echo request
2023-09-20 05:59:37.412050 port1 out 10.100.1.11 -> 172.17.11.2: icmp: echo request
2023-09-20 05:59:37.426533 port1 in 172.17.11.2 -> 10.100.1.11: icmp: echo reply
2023-09-20 05:59:37.426594 port1 out 10.100.1.12 -> 172.17.11.1: icmp: echo reply

Ping to Default GW (external IP):

2023-09-20 05:59:41.410648 port1 in 172.17.11.1 -> 10.100.1.2: icmp: echo request
2023-09-20 05:59:41.412397 port2 out 10.100.1.11 -> 10.100.1.2: icmp: echo request
2023-09-20 05:59:41.414490 port2 in 10.100.1.2 -> 10.100.1.11: icmp: echo reply
2023-09-20 05:59:41.414519 port1 out 10.100.1.2 -> 172.17.11.1: icmp: echo reply

Session information for both pings :

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
icmp 35 172.17.11.1:141 10.100.1.11:141 10.100.1.2:8 -
icmp 38 172.17.11.1:142 10.100.1.11:142 10.100.1.12:8 172.17.11.2:142

session info: proto=1 proto_state=00 duration=8 expire=53 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=252/3/1 reply=252/3/1 tuples=2
tx speed(Bps/kbps): 30/0 rx speed(Bps/kbps): 30/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=10.100.1.2/172.17.11.1
hook=post dir=org act=snat 172.17.11.1:141->10.100.1.2:8(10.100.1.11:141)
hook=pre dir=reply act=dnat 10.100.1.2:141->10.100.1.11:0(172.17.11.1:141)
misc=0 policy_id=5 pol_uuid_idx=14735 auth_info=0 chk_client_info=0 vd=0
serial=00002b2b tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

session info: proto=1 proto_state=00 duration=4 expire=56 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=4
tx speed(Bps/kbps): 38/0 rx speed(Bps/kbps): 38/0
orgin->sink: org pre->post, reply pre->post dev=3->3/3->3 gwy=172.17.11.2/172.17.11.1
hook=pre dir=org act=dnat 172.17.11.1:142->10.100.1.12:8(172.17.11.2:142)
hook=post dir=org act=snat 172.17.11.1:142->172.17.11.2:8(10.100.1.11:142)
hook=pre dir=reply act=dnat 172.17.11.2:142->10.100.1.11:0(172.17.11.1:142)
hook=post dir=reply act=snat 172.17.11.2:142->172.17.11.1:0(10.100.1.12:142)
misc=0 policy_id=3 pol_uuid_idx=14733 auth_info=0 chk_client_info=0 vd=0
serial=00002b2d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off