Central NAT - DNAT configuration

DamianLozano · ‎08-18-2020

Hello,

I just installed a new fortigate and for first time enabled "central NAT" from cli

I created a SNAT rule for each outgoing Internet connection and I think these rules are working because I can browse Internet

Now I want to forward the port TCP 81 to 10.1.1.234 because I need to access there from Internet.

I created the following "DNAT & Virtual IP":

Interface: lan (I dont know if this should be the source or destination interface, but I tested with each with no luck)

Source Interface Flter: disabled

External IP Address/Range: PublicIP

Mapped IP Address/Range: 10.1.1.234

Optional Filters: disabled

Port Forwarding: enabled

Protocol: TCP

External Service Port: 81

Map to Port: 81

I can connect from inside with "telnet 10.1.1.234 81" but I can not connect from outside with "telnet publicIP 81", so the "DNAT & Virtual IP" is not working

What is wrong?

Thanks in advance.

Regards,

Damián

DamianLozano · ‎08-27-2020

Thanks for your response.

There is not any rule in sd-wan -> lan

This is because I could not select a VIP in a policy.

I added temporarily a rule to allow everything but as this does not solve the issue I deleted this.

So, every time I need to create a VIP I need to do the following?

- Create a rule

- Enable the match-vip from cli

- Match VIP in the rule

This does not make a sense to me

In this case, what is "Central NAT" for?

I thought that no rule is needed with "Central NAT", that is what I understood in the course.

Regards,

Damián

emnoc · ‎08-27-2020

So, every time I need to create a VIP I need to do the following? - Create a rule - Enable the match-vip from cli - Match VIP in the rule

Yes you need a policy if that what you mean by rule. No policy and without the vip defined for the destination is not going to work. All traffic is controlled by the policy.

In this case, what is "Central NAT" for?

A central nat table just provides a central table for nat-translation but for SNAT A vip is not controlled by the central-nat table. In fact the name suggest it's a snat-map.

People who like central-nat table are mainly people that come from the checkpoint,juniper,ciscoASA,palo shop since it does or work nearly the same.

If you enabel central-snat you do NOT use nat in your polic, the table manages the SNATs.

Read more here.

https://help.fortinet.com/cli/fos60hlp/60/Content/FortiOS/fortiOS-cli-ref/config/firewall/central-sn...

;)

BTW SANT has nothing to do with your vip, fwiw

Ken Felix

PCNSE

NSE

StrongSwan

DamianLozano · ‎09-01-2020

Hello again,

I hope I dont need to explain again that although I attached an image from a course, this is about a real fortigate in a production environment (the course ended some weeks before, the lab is not already available)

I finally could test, did the following:

- Added a service for port 81

- Added a rule from sd-wan to lan for this service

- Tried to enable match-vip for this policy as https://kb.fortinet.com/kb/documentLink.do?externalID=FD33338 but failed

FGT # config firewall policy FGT (policy) # edit 5 FGT (5) # set match-vip enable command parse error before 'match-vip' Command fail. Return code -61

So, I attached again the image from the lab guide which I followed when did the course

In this image you can see, the following words from fortigate: "As soon as VIP object is created, Fortigate automatically creates a rule in the kernel for DNAT to occur", which I interpreted as: "I dont need to create a policy"

Which is the problem here?

If I need to enable match-vip for the rule, which is the proper command to accomplish this?

Regards,

Damián

emnoc · ‎09-01-2020

Not sure what you doing but 1st let's start with tis

"As soon as VIP object is created, Fortigate automatically creates a rule in the kernel for DNAT to occur", which I interpreted as: "I dont need to create a policy"

Creating a vip does NOT side-step the need for a rule. I'm not sure why you keep bring this up.

2nd let's see the fw-policy #5

( from cli using the above mention policyid5 )

show full firewall policy 5

Let's see your vip so we can fully understand what your doing

show full firewall vip

Can you give us those 2 outputs from the cli?

Ken Felix

PCNSE

NSE

StrongSwan

DamianLozano · ‎09-01-2020

Sure, thanks for your reply,

FGT # show full firewall policy 5 
config firewall policy
    edit 5
        set name "DVR"
        set uuid a6d824f4-ec4d-51ea-7f07-66b8d321df2d
        set srcintf "virtual-wan-link"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "DVRs"
        set internet-service disable
        set internet-service-src disable
        set rtp-nat disable
        set learning-mode disable
        set action accept
        set status enable
        set schedule "always"
        set schedule-timeout disable
        set service "Web2"
        set dscp-match disable
        set utm-status disable
        set logtraffic utm
        set logtraffic-start disable
        set auto-asic-offload enable
        set np-acceleration enable
        set permit-any-host disable
        set permit-stun-host disable
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set fsso disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set ssl-mirror disable
        set scan-botnet-connections disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set profile-protocol-options "default"
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
    next
end
 
FGT # show full firewall vip 
config firewall vip
    edit "DVR"
        set id 0
        set uuid 71b50130-e166-51ea-3826-075742213cf8
        set comment "Port 81 to DVR"
        set type static-nat
        set extip 179.60.208.66
        set extintf "any"
        set arp-reply enable
        set nat-source-vip disable
        set portforward enable
        set gratuitous-arp-interval 0
        set color 18
        set mappedip "10.1.1.234"
        set protocol tcp
        set extport 81
        set mappedport 81
        set portmapping-type 1-to-1
    next
end

Regards,

Damián

emnoc · ‎09-01-2020

The custom service web2 is that set for tcp.port 81? What I would do is run "diag debug flow" and look for traffic and the match.

diag debug flow filter port 81

diag debug flow filter addr 179.60.208.66

diag debug enable

diag debug flow trace start 10

Then start some traffic and look and update what you see.

Ken Felix

PCNSE

NSE

StrongSwan

DamianLozano · ‎09-01-2020

Hello, thanks for your response

The custom service web2 is that set for tcp.port 81?

Yes, only TCP 81

I already did a debug flow and pasted it in a previous note of this post:

id=20085 trace_id=1 func=print_pkt_detail line=5573 msg="vd-root:0 received a packet(proto=6, SRCpublicIP:53495->WAN1IP:81) from wan. flag , seq 4175373843, ack 0, win 64240" id=20085 trace_id=1 func=init_ip_session_common line=5744 msg="allocate a new session-01b345f2" id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-WAN1IP via root" id=20085 trace_id=1 func=fw_local_in_handler line=412 msg="iprope_in_check() check failed on policy 0, drop"

There is not a rule to allow this traffic

Regards,

Damián

emnoc · ‎09-01-2020

Do us a favor, please take the ext-ip of the vip and ensure it's not being used else where the fortigate?

(i.e using 179.60.208.66 )

#cli

show full | grep -f 179.60.208.66

Ken Felix

PCNSE

NSE

StrongSwan

DamianLozano · ‎09-01-2020

Hello, thanks for your help

I just checked again and I could connect with the correct IP.

I saw that the VIP had the external IP of the secondary WAN connection, when I changed it to use the primary WAN connection started working, then I changed it again to the secondary and worked again.

I dont know what happened there because when I do the test the first time I used the correct IP and I had created a rule to allow everything just for some minutes for testing purpouse.

Thanks.

Regards,

Damián

DamianLozano · ‎09-01-2020

I started before with Mikrotik and I like it (I know about the pros of fortigate, of course)

When I did the NSE4 course I started to like fortigate a little more than before but still prefer Mikrotik for almost everything

There is a very huge diference about the documentation of both, this is why I like Mikrotik, there are a lot of insignificant documentation about fortigate, there are a lot of pages with useless information

An exaple of useless documentation is something like this:

To create an IPsec VPN do the following: Go to VPN IPsec Click on create new Complete field 1 Complete field 2 Complete field 3 Click finnish

I have find a lot of fortigate pages like this, do you understand why is this useless? Somewhere should say which is every field, which kind of VPN is that, what is this for, etc.

And I think this is why this post take too much time, a lot of suggestion to do useless steps, a lot of ignorance about a lot of fortigate features (I am the first with ignorance)

Of course I find some time some good fortigate documentation but I need to have a very lucky day

I think fortigate should improve its documentation, but this will take a lot of day of work for the people with enought knowledge.

Regards,

Damián