Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Conditional NAT on some path/source



I needed to setup some 'conditionnal NAT' to redirect (DNS) trafic from one IP to another on the same subnet but only from trafic coming from an IPsec VPN, and not from other part of the network and only for DNS trafic.

So i tried using a virtual ip for this and set it up like this:


config firewall vip edit "DNS Rewriting for CMA HO/1" set uuid 0b500544-eb2d-51eb-3f53-4325366f7882 set src-filter "" "" "" set service "DNS" set extip set extintf "any" set srcintf-filter "VPN" set mappedip "" next end


(with the corresponding policy)


This "almost" work in the way that the trafic i do need redirected is indeed redirected and that's great, however every other trafic to is now failing, as is dns trafic to this IP but from other part of the network, i am a bit puzzled ..


i tried switching from "set service" to basic port-forwarding:

set protocol udp set extport 53 set mappedport 53


But the result is the same in that every other trafic is not working it's way to the server

Is there a way to do this kind of fine tuned NAT with FortiOS ?






you can try to bind the VPN interface to VIP, so DNS traffic coming to VPN interface will only be redirected to


set extintf "any"  >>>>>>> set extintf "VPN"


Top Kudoed Authors