Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sajiby3k
New Contributor

Fortigate own ip and source nat

I have a very simple setup. One foetigate with 2 interface lan - 192.168.2.1/24 and wan with ip for example - 172.34.1.1. For reaching internet from lan I have created the firewall policy with source nat. It works. I want to test it from foetigate's own ip. When I do - Execute ping-options source 192.168.2.1 Execute ping 8.8.8.8 I am getting no reply. From debug and packet capture seeing that source nat is not applied. Is it intended by design that foetigate's own ip is excluded from nat? Or I am missing something.

7 REPLIES 7
sajiby3k
New Contributor

Not anyone can help me with this information.

ede_pfau

No of course that's not intended.

I am puzzled as to what is causing this. Selecting the source IP address tells the FGT which interface to use and which route. Actually, I have no idea how SNAT is applied then but it works every time without special configuration.

 

Please double check that you specify the (LAN) interface IP as source IP.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rwpatterson
Valued Contributor III

I was under the impression that the source IP field populated the source IP (duh), and then attempted to get to whatever destination from that interface. Since the default gateway out is on another interface, I would believe that the traffic MAY flow out the 172.x.x.x interface, but not being translated and the bogon is dropped by the ISP. LAN traffic on the 192.168.x.x network is passing the policies and being NATted so they work. The FGT isn't using the policies, so PINGs fail. In my mind, works as expected.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Dave_Hall

I agree - from my own testing from a "live" fgt in the field - monitoring the fgt wan connection from the other side of the gateway router, I see nothing coming through.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Fahad
New Contributor III

hi,

 

i tested the same and i noticed if you selected the lan interface IP as source (192.168.2.1) for the ping, on the sniffer it shows this ip leaving from the wan interface.

 

quit interesting could be something by design.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
sajiby3k
New Contributor

Thanks for the reply. It is nice to know that you guys are also seeing to the same phenomenon. For me, sometimes it is required to test source NAT and I cannot access any client computer. And as fortigate exempts its own traffic from NAT, there is no way I can test.

 

Zedisdead
New Contributor

VPN, SNAT with a policy, testing from the box fails, because the box is not applying ANY policy to its own traffic, which is stupid, because I have no option to test stuff from the box itsel even if i specify the source interface or IP.
Firewall checks my traffic: "Oh.. What is this... Traffic from this source IP, that has a FW policy with SNAT pool attached? Oh, i know, lets just blast it out of an interface that has the route to it, without hitting any policy, because why not?!"

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors