Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎06-30-2022 12:22 AM Edited on ‎06-26-2023 11:51 PM By Community Manager

Article Id 216348

Technical Tip: VIP (DNAT) behaviour

Description

 

This article describes VIP (DNAT) behavior when the ip address not available on the mapped range.

 

Example:

 

config firewall vip
    edit "Test"
        set extip 10.1.1.1-10.1.1.10 <----- Vip has 10 IP address.
        set mappedip "20.0.0.1-20.0.0.10" <----- 10 mapped IP address (startip 20.0.0.1,endip 20.0.0.10).
        set extintf "any"
    next
end  

 

The 'set extip 10.1.1.1-10.1.1.10' has 20 IP addresses, the end ip 20.0.0.10 is automatically chosen once enter the start ip 20.0.0.1.  

An equal amount of mapped ip should be available in the mapped IP. 

 

extip 10.1.1.1-10.1.1.10  <----- Private IP.
mappedip "20.0.0.1-20.0.0.10" <----- Public IP.


Ping from 192.168.1.1-10 to 10.1.1.1-10

Let's say the mapped I{ 20.0.0.3- 20.0.0.6 mapped IP is used for some other purpose and it is not available but the firewall will do the translation for those IP addresses as well.

 

The mappedip address is the virtual IP, and it can be any IP address and the firewall do not know whether those addresses are used or unused.

The firewall will do one-to-one nat based on the configuration on the VIP.

 

 DNAT Mapping:


12.060398 port1 in 192.168.1.1-> 10.1.1.1: icmp: echo request
12.060408 port13 out 192.168.1.1-> 20.0.0.1: icmp: echo request
13.060550 port1 in 192.168.1.2-> 10.1.1.2: icmp: echo request
13.060556 port13 out 192.168.1.2-> 20.0.0.2: icmp: echo request
14.060796 port1 in 192.168.1.3-> 10.1.1.3: icmp: echo request <---------------
14.060803 port13 out 192.168.1.3-> 20.0.0.3: icmp: echo request
15.060963 port1 in 192.168.1.4-> 10.1.1.4: icmp: echo request <---------------
15.060967 port13 out 192.168.1.4-> 20.0.0.4: icmp: echo request
16.061203 port1 in 192.168.1.5-> 10.1.1.5: icmp: echo request <---------------
16.061210 port13 out 192.168.1.5-> 20.0.0.5: icmp: echo request
17.061392 port1 in 192.168.1.6-> 10.1.1.6: icmp: echo request <---------------
17.061418 port13 out 192.168.1.6-> 20.0.0.6: icmp: echo request
18.061682 port1 in 192.168.1.7-> 10.1.1.7: icmp: echo request
18.061709 port13 out 192.168.1.7-> 20.0.0.7: icmp: echo request

19.061821 port1 in 192.168.1.8-> 10.1.1.8: icmp: echo request
19.061842 port13 out 192.168.1.8 -> 20.0.0.8: icmp: echo request

 

Solution

 

Create a separate VIP (DNAT) for the available IP address.

2017
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.