Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
benoit_plessis
New Contributor

Conditional NAT on some path/source

Hi,

 

I needed to setup some 'conditionnal NAT' to redirect (DNS) trafic from one IP to another on the same subnet but only from trafic coming from an IPsec VPN, and not from other part of the network and only for DNS trafic.

So i tried using a virtual ip for this and set it up like this:

 

config firewall vip edit "DNS Rewriting for CMA HO/1" set uuid 0b500544-eb2d-51eb-3f53-4325366f7882 set src-filter "10.0.100.0/24" "10.1.170.0/24" "10.1.171.0/24" set service "DNS" set extip 10.0.0.11 set extintf "any" set srcintf-filter "VPN" set mappedip "10.0.0.42" next end

 

(with the corresponding policy)

 

This "almost" work in the way that the trafic i do need redirected is indeed redirected and that's great, however every other trafic to 10.0.0.11 is now failing, as is dns trafic to this IP but from other part of the network, i am a bit puzzled ..

 

i tried switching from "set service" to basic port-forwarding:

set protocol udp set extport 53 set mappedport 53

 

But the result is the same in that every other trafic is not working it's way to the 10.0.0.11 server

Is there a way to do this kind of fine tuned NAT with FortiOS ?

 

 

Regards,

Benoit

1 REPLY 1
Kush_Patel
Staff
Staff

you can try to bind the VPN interface to VIP, so DNS traffic coming to VPN interface will only be redirected to 10.0.0.42.

 

set extintf "any"  >>>>>>> set extintf "VPN"

 

Labels
Top Kudoed Authors