Description | This article describes the behavior of the outgoing traffic once VIP is created without port forwarding and IP Pool, only enabling the NAT in the policy. |
Scope |
FortiGate. |
Solution |
Topology:
User Machine <--------> FW <-------> Internet
Tested IPs in LAB on version 7.0.9:
Server IP: 10.222.3.129 Interface IP: 10.5.22.121 VIP Created: 10.5.22.122 <-------> 10.222.3.129 Outgoing interface: Port1 Incoming interface: Port3
SNAT with VIP.
CLI Configuration: 1) Create a normal Firewall Policy for the internet.
# config firewall policy edit 1 set name "internet" set srcintf "port3" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set ssl-ssh-profile "certificate-inspection" set logtraffic all set nat enable next end
2) Config firewall policy to activate VIP:
# config firewall policy edit 2 set name “TEST-VIP” set srcintf "port1" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "Test-VIP" set schedule "always" set service "ALL" set ssl-ssh-profile "certificate-inspection" set logtraffic all set nat enable next end
3) VIP configuration:
# config firewall vip edit "Test-VIP" set extip 10.5.22.122 set mappedip "10.222.3.129" set extintf "any" next end
4) Traffic Flow in different scenarios.
Traffic Flow While using the one-to-one mapping without port forwarding and ip-pool.
id=20085 trace_id=125 func=__iprope_check_one_reverse_dnat_policy line=1243 msg="checking gnum-100002 policy-42949 67295" id=20085 trace_id=125 func=get_new_addr line=1221 msg="find DNAT: IP-10.5.22.122, port-0(fixed port)" id=20085 trace_id=125 func=__iprope_check_one_reverse_dnat_policy line=1255 msg="new-ip=10.5.22.122, new-port=0" id=20085 trace_id=125 func=fw_forward_handler line=881 msg="Allowed by Policy-1: SNAT" id=20085 trace_id=125 func=ids_receive line=417 msg="send to ips" id=20085 trace_id=125 func=__ip_session_run_tuple line=3497 msg="SNAT 10.222.3.129->10.5.22.122:1" id=20085 trace_id=126 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 1.1.1.1:1->10.5.22 .122:0) tun_id=0.0.0.0 from port1. type=0, code=0, id=1, seq=57346."
Traffic Flow Without port-forwarding and using an IP-POOL:
id=20085 trace_id=109 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.222.3.129:1->1.1.1.1:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=57327." id=20085 trace_id=109 func=init_ip_session_common line=6050 msg="allocate a new session-0049434f, tun_id=0.0.0.0" id=20085 trace_id=109 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.5.31.254 via port1" id=20085 trace_id=109 func=get_new_addr line=1221 msg="find SNAT: IP-10.5.22.121(from IPPOOL), port-60417" id=20085 trace_id=109 func=get_new_addr line=1221 msg="find DNAT: IP-10.5.22.122, port-0(fixed port)" id=20085 trace_id=109 func=fw_forward_handler line=881 msg="Allowed by Policy-1: SNAT" id=20085 trace_id=109 func=ids_receive line=417 msg="send to ips" id=20085 trace_id=109 func=__ip_session_run_tuple line=3497 msg="SNAT 10.222.3.129->10.5.22.121:60417" id=20085 trace_id=110 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 1.1.1.1:60417->10.5.22.121:0) tun_id=0.0.0.0 from por t1. type=0, code=0, id=60417, seq=57327."
Traffic Flow While using the port-forwarding but excluding the IP pool:
id=20085 trace_id=117 func=__iprope_check_one_reverse_dnat_policy line=1243 msg="checking gnum-100002 policy-42949 67295" id=20085 trace_id=117 func=fw_forward_handler line=881 msg="Allowed by Policy-1: SNAT" id=20085 trace_id=117 func=ids_receive line=417 msg="send to ips" id=20085 trace_id=117 func=__ip_session_run_tuple line=3497 msg="SNAT 10.222.3.129->10.5.22.121:60417" id=20085 trace_id=118 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 1.1.1.1:60417->10. 5.22.121:0) tun_id=0.0.0.0 from port1. type=0, code=0, id=60417, seq=57339."
Note. When the VIP is created without port forwarding, the outgoing IP address will be the VIP external IP address instead of the interface IP address as the Firewall first checks the DNAT and SNAT enabled on the user machine as per the VIP. |