Description |
This article describes how to troubleshoot issues where traffic is getting denied by an SNAT IP pool check. |
Scope | FortiGate. |
Solution |
Central SNAT is enabled on FortiGate. All traffic passing from FortiGate is source NAT using central SNAT policy and an IP Pool which is used in the SNAT policy.
Configuration:
The policy is created from the LAN to WAN interface with the action set to 'allow'.
config firewall policy
Central SNAT configuration:
config firewall central-snat-map
Only one internal IP address can reach the Internet and all other internal sources cannot reach the Internet. Run a debug flow with the source IP address which cannot reach the internet. Follow step 5 in this article for the debug flow command.
The following error shows in debug flow.
id=20085 trace_id=976 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.111.4:5->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=5, seq=44."
Check IP-Pools configuration which is used in Central SNat policy.
config firewall ippool
A one-to-one IP pool means that the internal IP address and the external (translated) IP address match one-to-one. For example, if a one-to-one IP pool type is defined with one external IP address (10.9.11.103 – 10.9.11.103), then this IP pool can only handle one internal IP address, and all internal source traffic is denied by an SNAT IP pool check.
config firewall ippool
Reference article for IP Pools: |