Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vijayduhan
New Contributor

How to do Source NAT on a response packet when asymmetric routing is enabled ?

there is requirement for enabling Source NAT on a response packet when asymmetric routing is enabled.

Can I use fortigate as a stateless firewall ?

8 REPLIES 8
AEK
Honored Contributor

Hello

As per my understanding, when enabling asymmetric traffic, FG will act as stateless firewall for the response traffic for which it doesn't have session, and also it doesn't perform UTM on it.

However, doing NAT on these response packets doesn't make sense to me.

I think the natural way to do NAT would be on the load balancer in front of you FortiGates.

 

AEK
AEK
pgautam
Staff
Staff

Hi @vijayduhan 

 

Thank you for posting your query.

When asymmetric routing is enabled, the firewall will globally behave as follows.

For TCP packets

1) If the packet is a SYN, the FortiGate creates the session, checks the firewall policies and applies the configuration of the matching policy (UTM inspection, NAT, Traffic shaping, etc.).
The subsequent packets of the session can be offloaded (exactly as when asymmetric routing is disabled).

2) If the packet is not a SYN but the session already exists on the firewall, then the FortiGate lets the traffic pass through (exactly as it would do when asymmetric routing is disabled).

3) If the packet is not a SYN and the session doesn't exist (asymmetric routing), then all packets are passed to the CPU and the FortiGate doesn't lookup for matching firewall policies.

Since no policy is matched, the packet is simply forwarded based on the routing table and the Firewall acts as a router which only makes routing decision.  No security inspection will be performed:

53.147018 wan in 1.1.1.2.80 -> 10.255.130.210.18929: syn 2874238539 ack 2874127433
53.147237 dmz out 1.1.1.2.80 -> 10.255.130.210.18929: syn 2874238539 ack 2874127433
id=20085 trace_id=6 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=6, 1.1.1.2:80->10.255.130.210:18929) from wan. flag [S.], seq 2874238539, ack 2874127433, win 32768"
id=20085 trace_id=6 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.255.130.210 via dmz"
53.155221 wan in 1.1.1.2.80 -> 10.255.130.210.18929: psh 2874238540 ack 2874127673
53.155364 dmz out 1.1.1.2.80 -> 10.255.130.210.18929: psh 2874238540 ack 2874127673

As FGT is only taking route decision SNAT in reply packet will not make sense here.

Please check the below link for your referece of assymmetric routing section:-
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/139692/routing-concepts#Asym...


Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution

vijayduhan

Untitled.jpgThanks for the replies

In the topology the black color is for syn request packet and orange color Syn+ack packet. From client the request is send to router over the internet and then GRE encapsulation is done on the router and then send the packet to the fortigate via GRE tunnel. The fortigate decapsulate the GRE packet and the send the packet to the application via LAN port. Now the response packet should be send directly from lan to wan over the internet with source NAT of WAN IP.

I have enabled the asymmetric routing due to which the response packet (syn+ack) is going from LAN to WAN by checking static route only but without any source nat of WAN port IP and its taking source as the application IP due to which its not going to the internet.

Thank you for the reply but that is the organization requirement so can not change the Architecture. Please help me to know how can i put a source NAT on the SYN+ ACK packet

vijayduhan
New Contributor

Untitled.jpgThanks for the replies

In the topology the black color is for syn  request packet and  orange color Syn+ack packet. From client the request is send to router over the internet and then GRE encapsulation is done on the router and then send the packet to the fortigate via GRE tunnel. The fortigate decapsulate the GRE packet and the send the packet to the application via LAN port. Now the response packet should be send directly from lan to wan over the internet with source NAT of WAN IP.

I have enabled the asymmetric routing due to which the response packet (syn+ack) is going from LAN to WAN by checking static route only but without any source nat of WAN port IP and its taking source as the application IP due to which its not going to the internet.

AEK
Honored Contributor

Hello

In my opinion you should correct a bit your architecture and disable asymmetric on FG.

AEK
AEK
vijayduhan
New Contributor

Thank you for the reply but that is the organization requirement so can not change the Architecture. Please help me to know how can i put a source NAT on the SYN+ ACK packet ?

AEK
Honored Contributor

Personally I don't see a way to do that with your FortiGate. The last chance you may have is to find a way to make your application server send the reply packets with you desired public IP as source address.

AEK
AEK
vijayduhan
New Contributor

thank you for reply. Please share some documents where its mention that we can not to do with fortigate

Top Kudoed Authors