Hi,
I needed to setup some 'conditionnal NAT' to redirect (DNS) trafic from one IP to another on the same subnet but only from trafic coming from an IPsec VPN, and not from other part of the network and only for DNS trafic.
So i tried using a virtual ip for this and set it up like this:
config firewall vip edit "DNS Rewriting for CMA HO/1" set uuid 0b500544-eb2d-51eb-3f53-4325366f7882 set src-filter "10.0.100.0/24" "10.1.170.0/24" "10.1.171.0/24" set service "DNS" set extip 10.0.0.11 set extintf "any" set srcintf-filter "VPN" set mappedip "10.0.0.42" next end
(with the corresponding policy)
This "almost" work in the way that the trafic i do need redirected is indeed redirected and that's great, however every other trafic to 10.0.0.11 is now failing, as is dns trafic to this IP but from other part of the network, i am a bit puzzled ..
i tried switching from "set service" to basic port-forwarding:
set protocol udp set extport 53 set mappedport 53
But the result is the same in that every other trafic is not working it's way to the 10.0.0.11 server
Is there a way to do this kind of fine tuned NAT with FortiOS ?
Regards,
Benoit
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
you can try to bind the VPN interface to VIP, so DNS traffic coming to VPN interface will only be redirected to 10.0.0.42.
set extintf "any" >>>>>>> set extintf "VPN"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.