Created on
‎10-17-2022
01:51 AM
Edited on
‎10-17-2022
01:53 AM
By
Anthony_E
Description |
This article describes how to set up a Double NAT VIP on the Inter-VDOM link. This is for cases where 1 VDOM has Internet access and the other VDOM does not have Internet access. Here, the VIP on the Internet-facing VDOM will VIP to an Inter-VDOM IP. Then, the other VIP on the non-internet facing VDOM will VIP to the same Inter-VDOM IP. |
Scope | FortiGate 6.0.x, 6.2.x, 6.4.x, 7.0.x 7.2.x - Double NAT. |
Solution |
Topology:
INET_VDOM -> Internet facing VDOM LAN_VDOM -> VDOM with no Internet; LAN VDOM.
Goal:
The result wanted is to reach the internal-lan IP (10.185.3.170) from the External IP (10.47.3.170) where the traffic VIPs through an inter-VDOM IP. The same Inter-VDOM IP will be used in the VIP of both VDOMs; double NAT.
Create a VIP object on the Internet-facing VDOM, vipA: 10.47.3.170 -> 10.10.10.100. This VIP maps the external IP to an inter-VDOM IP, in this demonstration, 10.10.10.100 will be used.
Then, create a VIP object on the Non-Internet facing VDOM, vipB: 10.10.10.100 -> 10.185.3.170. This VIP maps the inter-VDOM IP mapped in vipA, to the actual internal-lan IP, 10.185.3.170.
Note. The usage of SD-WAN does not matter because only 1 External IP for VIP purposes is used.
Method 1.
INET_VDOM (Internet facing VDOM) configuration:
Interface:
VIP Object:
Note. Any IP can be chosen as long as it's within the inter-VDOM IP range that is specified in Interfaces. Ensure inter-VDOM IP used in both VIP Objects of both VDOMs are the same.
Firewall Policy:
-No Static Route configuration is required here.
LAN_VDOM (Non-Internet facing VDOM) configuration:
Interface:
VIP Object:
Note. Ensure inter-VDOM IP used in both VIP Objects of both VDOMs are the same.
Firewall Policy:
Static Route: Note. The static route is required here to ensure the traffic gets routed back through the Inter-VDOM link. For the Gateway IP, use the inter-VDOM link IP of inter-VDOM0 on the INET_VDOM.
Result: This is how the Session Table should look like.
Session Table Filters used:
# diag sys session filter ext-dst 10.47.3.170 -> wan ip # diag sys session list
In this screenshot, 10.111.36.200 is the IP pinging the WAN IP of INET_VDOM.
Method 2.
In Method 2, no Static Routes to the Inter-VDOM links on either VDOMs are required. The configurations are exactly the same except that SNAT is enabled on the VIP firewall policies.
INET_VDOM Firewall Policy:
LAN_VDOM Firewall Policy:
How does it work.
1) Traffic from external that hits the wan ip, 10.47.3.170 will get translated to 10.10.10.100 on the INET_VDOM. Traffic passes through the inter-VDOM link.
2) Traffic from the inter-VDOM link then hits the LAN_VDOM's inter-VDOM IP, 10.10.10.100, which then gets translated to 10.185.3.170.
3) The reason why a Static Route is not required here is that the return traffic will then be translated by the SNAT from 10.185.3.170 to 10.10.10.100, which then passes back through the inter-VDOM link gateway, 10.10.10.1, back to the INET_VDOM and out through the wan link.
Result: This is how the Session Table should look like.
Session Table Filters used:
# diag sys session filter ext-dst 10.47.3.170 -> wan ip # diag sys session list
In this screenshot, 10.111.36.200 is the IP pinging the WAN IP of INET_VDOM. |