Created on 10-17-2022 01:51 AM Edited on 10-17-2022 01:53 AM By Anthony_E
Description |
This article describes how to set up a Double NAT VIP on the Inter-VDOM link. This is for cases where 1 VDOM has Internet access and the other VDOM does not have Internet access. Here, the VIP on the Internet-facing VDOM will VIP to an Inter-VDOM IP. Then, the other VIP on the non-internet facing VDOM will VIP to the same Inter-VDOM IP. |
Scope | FortiGate 6.0.x, 6.2.x, 6.4.x, 7.0.x 7.2.x - Double NAT. |
Solution |
Topology:
INET_VDOM -> Internet facing VDOM LAN_VDOM -> VDOM with no Internet; LAN VDOM.
Goal:
The result wanted is to reach the internal-lan IP (10.185.3.170) from the External IP (10.47.3.170) where the traffic VIPs through an inter-VDOM IP. The same Inter-VDOM IP will be used in the VIP of both VDOMs; double NAT.
Create a VIP object on the Internet-facing VDOM, vipA: 10.47.3.170 -> 10.10.10.100. This VIP maps the external IP to an inter-VDOM IP, in this demonstration, 10.10.10.100 will be used.
Then, create a VIP object on the Non-Internet facing VDOM, vipB: 10.10.10.100 -> 10.185.3.170. This VIP maps the inter-VDOM IP mapped in vipA, to the actual internal-lan IP, 10.185.3.170.
Note. The usage of SD-WAN does not matter because only 1 External IP for VIP purposes is used.
Method 1.
INET_VDOM (Internet facing VDOM) configuration:
Interface:
VIP Object:
Note. Any IP can be chosen as long as it's within the inter-VDOM IP range that is specified in Interfaces. Ensure inter-VDOM IP used in both VIP Objects of both VDOMs are the same.
Firewall Policy:
-No Static Route configuration is required here.
LAN_VDOM (Non-Internet facing VDOM) configuration:
Interface:
VIP Object:
Note. Ensure inter-VDOM IP used in both VIP Objects of both VDOMs are the same.
Firewall Policy:
Static Route: Note. The static route is required here to ensure the traffic gets routed back through the Inter-VDOM link. For the Gateway IP, use the inter-VDOM link IP of inter-VDOM0 on the INET_VDOM.
Result: This is how the Session Table should look like.
Session Table Filters used:
# diag sys session filter ext-dst 10.47.3.170 -> wan ip # diag sys session list
In this screenshot, 10.111.36.200 is the IP pinging the WAN IP of INET_VDOM.
Method 2.
In Method 2, no Static Routes to the Inter-VDOM links on either VDOMs are required. The configurations are exactly the same except that SNAT is enabled on the VIP firewall policies.
INET_VDOM Firewall Policy:
LAN_VDOM Firewall Policy:
How does it work.
1) Traffic from external that hits the wan ip, 10.47.3.170 will get translated to 10.10.10.100 on the INET_VDOM. Traffic passes through the inter-VDOM link.
2) Traffic from the inter-VDOM link then hits the LAN_VDOM's inter-VDOM IP, 10.10.10.100, which then gets translated to 10.185.3.170.
3) The reason why a Static Route is not required here is that the return traffic will then be translated by the SNAT from 10.185.3.170 to 10.10.10.100, which then passes back through the inter-VDOM link gateway, 10.10.10.1, back to the INET_VDOM and out through the wan link.
Result: This is how the Session Table should look like.
Session Table Filters used:
# diag sys session filter ext-dst 10.47.3.170 -> wan ip # diag sys session list
In this screenshot, 10.111.36.200 is the IP pinging the WAN IP of INET_VDOM. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.