|
See Technical Tip: How to preserve source port when central NAT is enabled for a description on how to configure central NAT to preserve source port.
If it does not work, check the following:
- Check if the orig-port option is not available in Central NAT configurations:
config firewall central-snat-map
edit <policyID number>
set status {enable|disable}
set orig-port <----- Not available in CLI configuration.
end
In this case, format the FortiGate to factory settings, and upload the firmware and the backup again.
Technical Tip: Formatting and loading FortiGate firmware image using TFTP.
- Once the options are available validate if there are multiple routes to the destination of the central NAT route:
get router info routing-table details x.x.x.x <----- Replace x.x.x.x with the destination IP.
Remember the evaluation order of the Packet in FortiGate is:
Packet -> Route evaluation -> FW policies -> Central Nat -> Internet.
If there are multiple ISP interfaces to get the central NAT destination, check the SD-WAN rules.
Create an SD-WAN rule or PBR using the Central NAT interface to force the traffic for the intended destination.
config router policy
edit 1
set input-device "port2"
set src "0.0.0.0/0.0.0.0"
set dst "x.x.x.x/255.255.255.255" <----- Replace x.x.x.x with the central NAT destination address.
set output-device "port#" <----- Replace port# with the central NAT destination address.
next
end
- Clean the sessions and confirm it is working for the users.
di sys session filter src x.x.x.x
di sys session clear
di sys session list
|
