Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nehhet
New Contributor

Fortigate VM Double NAT issue in AWS

Hi all,

Is there any way to obtain the real IP address of a client that accesses EC2 instances through an Amazon Internet Gateway that is routed through a FortiGate VM? I know that Amazon performs NAT on their end to map public/Elastic IP addresses to the Private IP but this is causing issues with testing the feasibility of using FortiGate VM as a replacement to Amazon Security Groups.

For testing, I have a simple WAN (public subnet) and a LAN (private subnet) attach to the FortiGate VM with the appropriate route tables. When I simulate an external user connecting to a web server in our private subnet via a reverse proxy, the logs show the connection as coming from the LAN interface of the FortiGateVM. If I disable NAT on the incoming firewall rule allowing HTTP\HTTPS access through the VIP but then I am unable to connect. It seems that Amazon forces a double NAT scenario making it difficulty to obtain the true IP address.

Ideally I would like to have the following workflow where the true IP address is shown in the FortiGate VM logs.

User --> FortiGateVM --> Reverse Proxy --> Windows Web Server

Is this possible or am I better off continuing to use Amazon's native tools for managing security and logging? Thanks everyone.

10.0.0.0.1 192.168.1.254
1 REPLY 1
johnathan
Staff
Staff

'If I disable NAT on the incoming firewall rule allowing HTTP\HTTPS access through the VIP but then I am unable to connect'
You should be able to turn off source NAT successfully if your end goal is only to do destination NAT (VIP).
It may be best if you do a debug flow to see where that traffic is stopping, you can use these commands:
-------------------
di de res
di de flow filter addr x.x.x.x <-- User's Public IP you are testing with
di de flow trace start 1000
di de en

When you're done:
di de res
di de di

"Never trust a computer you can't throw out a window."
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors