Description
This article describes how, since FortiOS v5.6, it is possible to create a VIP with the same External IP and Mapped IP.
However, until firmware 6.0, creating a VIP with the same External IP and Mapped IP will throw an error in both CLI and GUI.
CLI Error:
Static NAT's extip should be different from mappedip.
object check operator error, -8, discard the setting
Command fail. Return code -8
GUI Error:
Scope
FortiGate.
Solution
Change the VIP Type from static-nat to load-balanc while creating the VIP.
Disable the arp-reply, which is enabled by default.
Via CLI:
config firewall vip
edit "SSH_redirect"
set extip 10.50.50.150
set extintf "any"
set portforward enable
set mappedip "10.50.50.150"
set extport 666
set mappedport 22
set arp-reply disable
set type load-balance
end
Via GUI:
Create a new VIP, because if the change is processed on an existing VIP's Type from static-nat to load-balance, an error will occur.
The difference between static-nat and load-balance is that load-balance is used to balance the traffic between different Servers behind a FortiGate.
The difference between static-nat and load-balance is that load-balance is used to balance the traffic between different Servers behind a FortiGate.
But if only one-to-one DNAT mapping is used, it will work the same way.
Note: Starting FortiOS v7.2.0, FortiGate removes the overlap check for VIPs. No error message appears regarding the overlapping VIPs; instead of this warning, a security rating reports to the user any IP overlaps.
