Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
xxxsan
New Contributor

Created on ‎06-26-2018 07:24 AM

Fortigate DNAT issue - Applied to all traffic regardless of filter

Hi,

 

I am having a strange issue with Central NAT - DNAT configuration.

Below is my topology.

 

Below are the configuration:

[style="background-color: #ffff00;"]config firewall vip[/style] [style="background-color: #ffff00;"]  edit "IBZ-Server-to-136"[/style] [style="background-color: #ffff00;"]    set uuid 4fb18976-7973-51e8-1240-8a7c051886e4[/style] [style="background-color: #ffff00;"]     set src-filter "10.123.11.10/32"[/style] [style="background-color: #ffff00;"]     set extip 10.123.123.0-10.123.123.255[/style] [style="background-color: #ffff00;"]     set extintf "port2"[/style] [style="background-color: #ffff00;"]     set nat-source-vip enable[/style] [style="background-color: #ffff00;"]     set srcintf-filter "port3"[/style] [style="background-color: #ffff00;"]     set mappedip "136.0.0.0-136.0.0.255"[/style] [style="background-color: #ffff00;"]  next[/style][style="background-color: #ffff00;"]d[/style]

 

[style="background-color: #ffff00;"][style="background-color: #ffffff;"]I get the desired result. Bu i also get the undesired result.[/style][/style]

[style="background-color: #ffff00;"][style="background-color: #ffffff;"]Desired Result:[/style][/style]

[style="background-color: #ffff00;"][style="background-color: #ffffff;"] [/style][/style][style="background-color: #ccffcc;"][size="2"]3.066018 port3 in 10.123.11.10 -> 10.123.123.10: icmp: echo request[/size][/style]

[style="background-color: #ccffcc;"][size="2"]3.066067 port2 out 10.123.11.10 -> 136.0.0.10: icmp: echo request[/size][/style] [style="background-color: #ccffcc;"][size="2"]3.072249 port2 in 136.0.0.10 -> 10.123.11.10: icmp: echo reply[/size][/style] [style="background-color: #ccffcc;"][size="2"]3.072286 port3 out 10.123.123.10 -> 10.123.11.10: icmp: echo reply[/size][/style]

 

[style="background-color: #ccffcc;"][size="2"][style="background-color: #ffffff;"]Undesired Result:[/style] [/size][/style]

[style="background-color: #ff6600;"]11.877979 port2 in 136.0.0.11 -> 10.123.11.10: icmp: echo request[/style] [style="background-color: #ff6600;"]11.878027 port3 out 10.123.123.11 -> 10.123.11.10: icmp: echo request[/style] [style="background-color: #ff6600;"]11.888300 port3 in 10.123.11.10 -> 10.123.123.11: icmp: echo reply[/style] [style="background-color: #ff6600;"]11.888325 port2 out 10.123.11.10 -> 136.0.0.11: icmp: echo reply[/style]

 

[style="background-color: #ffffff;"]Summary:[/style]

[style="background-color: #ffffff;"]I want traffic form <10.123.11.10> to <10.123.123.0/24> DNAT to <136.0.0.0/24>[/style]

[style="background-color: #ffffff;"]But traffic from <136.0.0.0/24> are also source NATted to <10.123.123.0/24>. (Even with src-filter)[/style]

 

[style="background-color: #ffffff;"]Please help if this is a bug or so. If not, how to implement the above requirement.[/style]

[style="background-color: #ffffff;"]Similar issue is explained in "https://forum.fortinet.com/tm.aspx?m=138667" also.[/style]

[style="background-color: #ffffff;"]FortiOS user = 5.6 and 6.0.1[/style]

 

[style="background-color: #ffffff;"]Thanks[/style]

[style="background-color: #ffffff;"]San[/style]

Preview file
99 KB
8090
0 Kudos
6 REPLIES 6
emnoc
Esteemed Contributor III

Created on ‎06-26-2018 04:10 PM

Try the cli cmd diag debug flow and provide the output

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3758
0 Kudos
xxxsan
New Contributor
In response to emnoc

Created on ‎06-27-2018 10:58 AM

Below is the icmp flow debug output.

FortiGate-VM64 # id=20085 trace_id=24 func=print_pkt_detail line=5320 msg="vd-root:0 received a packet(proto=1, 136.0.0.11:11->10.123.11.11:2048) from port2. type=8, code=0, id=11, seq=0."
id=20085 trace_id=24 func=init_ip_session_common line=5480 msg="allocate a new session-00008148"
id=20085 trace_id=24 func=vf_ip_route_input_common line=2590 msg="find a route: flag=00000000 gw-10.123.11.11 via port3"
id=20085 trace_id=24 func=fw_forward_handler line=749 msg="Allowed by Policy-2: SNAT"
id=20085 trace_id=24 func=__ip_session_run_tuple line=3226 msg="SNAT 136.0.0.11->10.123.123.11:11"
id=20085 trace_id=25 func=print_pkt_detail line=5320 msg="vd-root:0 received a packet(proto=1, 10.123.11.11:11->10.123.123.11:0) from port3. type=0, code=0, id=11, seq=0."
id=20085 trace_id=25 func=resolve_ip_tuple_fast line=5395 msg="Find an existing session, id-00008148, reply direction"
id=20085 trace_id=25 func=__ip_session_run_tuple line=3240 msg="DNAT 10.123.123.11:0->136.0.0.11:11"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2590 msg="find a route: flag=04000000 gw-10.123.10.10 via port2"

[size="2"][size="2"] Below are the configurations that may be needed[/size][/size]

FortiGate-VM64 # show firewall policy
config firewall policy
 edit 1
 set name "123"
 set uuid e4d8930a-7897-51e8-0b6d-2608bf493342
 set srcintf "any"
 set dstintf "any"
 set srcaddr "all"
 set dstaddr "swscan.apple.com"
 set action accept
 set schedule "always"
 set service "ALL"
 next
 edit 2
 set name "ping test"
 set uuid a89be098-78d5-51e8-213f-b62a721b6d61
 set srcintf "any"
 set dstintf "any"
 set srcaddr "all"
 set dstaddr "all"
 set action accept
 set schedule "always"
 set service "ALL_ICMP"
 set logtraffic all
 next
end
FortiGate-VM64 # show firewall vip
config firewall vip
 edit "IBZ-Server-to-136"
 set uuid 2e8205be-7941-51e8-85d9-a7a3b463c25d
 set src-filter "10.123.11.10/32"
 set extip 10.123.123.0-10.123.123.255
 set extintf "port2"
 set nat-source-vip enable
 set srcintf-filter "port3"
 set mappedip "136.0.0.0-136.0.0.255"
 next
end
FortiGate-VM64 # show firewall central-snat-map
config firewall central-snat-map
 edit 1
 set orig-addr "OUT"
 set srcintf "any"
 set dst-addr "IBZ1"
 set dstintf "any"
 set nat-ippool "GW-IP-IBZ1"
 next
 edit 2
 set orig-addr "136"
 set srcintf "port2"
 set dst-addr "all"
 set dstintf "port3"
 set nat disable
 next
end
FortiGate-VM64 # show firewall address 136
config firewall address
 edit "136"
 set uuid 65d67122-78dc-51e8-3d65-89f6349f5c4b
 set subnet 136.0.0.0 255.255.255.0
 next
end
FortiGate-VM64 # show firewall address OUT
config firewall address
 edit "OUT"
 set uuid bdc42078-78d7-51e8-80ee-d219bd45f314
 set subnet 10.123.10.0 255.255.255.0
 next
end
FortiGate-VM64 # show firewall address IBZ1
config firewall address
 edit "IBZ1"
 set uuid cb5b31cc-78d7-51e8-041d-80282e80612d
 set subnet 10.123.11.0 255.255.255.0
 next
end

[size="2"] [/size]

[size="2"]I have contacted TAC and they also verified that there is some issue with the DNAT. Will update their response once i hear from them.[/size]

 

[size="2"]Thanks[/size]

3757
0 Kudos
rwpatterson
Valued Contributor III
In response to xxxsan

Created on ‎06-27-2018 11:15 AM

I'm not exactly sure what your goal is... Do you need to cover the entire /24 on the far end? Does the NAT address need to be the entire /24 range as well? Would the below work for you?

 

config firewall vip edit "IBZ-Server-to-136" set uuid 4fb18976-7973-51e8-1240-8a7c051886e4 set src-filter "10.123.11.10/32" set extip 10.123.123.10-10.123.123.10 (note /32 bit) set extintf "port2" set nat-source-vip enable set srcintf-filter "port3" set mappedip "136.0.0.10-136.0.0.10" (note /32 bit) next

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3757
0 Kudos
blackhole_route
New Contributor III

Created on ‎06-27-2018 08:02 PM

This seems similar to what I tested through last fall. I _think_ what I found with central nat enabled was to not set nat source vip enable to avoid the unwanted source nat behavior when talking directly to the inside address. I’m also wondering in your config if extintf should be port3 since that is the ingress interface you want the nat to apply to. Test and see - unfortunately docs on central nat behavior (especially for vips) is sorely lacking.
3757
0 Kudos
xxxsan
New Contributor
In response to blackhole_route

Created on ‎07-14-2018 10:37 AM

thanks all for the reply. 

I contacted TAC and they tested the sme in production.

Got reply after almost 20 days that its a known bug. Below is the exact response.

 

"Thank you for your patience. I have learnt from the case description that the traffic initiated from the internal server are translated to VIP External IP address although the Central SNAT is enabled. Please correct me, if I am wrong. I did an internal search found it to be an known issue on the firmware version 6.0.1 which is reported already to our engineering team against the bug#478681 and they are working on the fix. In the meantime, We could consider downgrading the firmware on the unit to 5.6.4(i.e. latest in the 5.6 series) or 5.4.8(i.e. latest in the 5.4 series) as a workaround. I will get back to you once the fix is available. "

 

Thanks

san

3757
0 Kudos
emnoc
Esteemed Contributor III
In response to xxxsan

Created on ‎07-14-2018 04:41 PM

Do you need  central-nat  to begin with ?

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3757
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.