Description | This article describes, the hairpin NAT works within the same VDOM, but in this case, in order to trigger the VIP on different Internet lines, it is needed to have VDOMs, each VDOM with its own Internet line.
Let’s consider the following example:
WAN1: 1.1.1.1/24 WAN2: 2.2.2.2/24
With a single vdom scenario (VDOMS disabled), only users from port2 can access the server in DMZ via the VIP external IP 2.2.2.2. Users in port1 are forced to go via wan1, but they cannot reach the VIP with IP 2.2.2.2 because the packet never leaves the vdom and VIP cannot be triggered with source IP of WAN1 interface to WAN2 interface. Even if you do not bind the VIP to WAN2, it still won’t work. |
Scope |
FortiGate |
Solution |
In order to have this scenario working you must use VDOMs where:
VDOM1 contains WAN1 and port1 (SNAT in firewall policy) VDOM2 contains WAN2, port2 and DMZ (VIP configured)
When users behind port1 in VDOM1 access 2.2.2.2 (VIP) the packet will exit and enter VDOM2, VIP will be matched and translation to DMZ server will take place. In this scenario, the policy route isn’t needed anymore since WAN1 is the only internet line in that VDOM. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.