RE: Issue with Virtual IPs - Fortinet Community

Support Forum

The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

I have a complex setup (with multiple levels of NAT), but put simply, my problem is this: When I create a Virtual IP for a server on the LAN (to allow incoming connections from a trusted partner network), that same Virtual IP seems to be used for all outgoing traffic from that server to the internet. My provider' s firewall only allows outbound traffic from our firewall, and so connectivity is blocked. Is it normal behaviour for a Virtual IP to be applied to outgoing traffic as well as incoming, or is there a setting I' ve missed that prevents this?

6987

23 REPLIES 23

hi, and welcome to the forums! Yes, the default / intended behavior of VIP (destination NAT) is to conceal the private / mapped-to IP address completely. In previous versions of FortiOS only the reply traffic was NATed to the VIP. In 4.3 and higher, even originating traffic will use the VIP as source NAT. If that doesn' t work for you (where I wonder why...) you can specify a source NAT address if you check " dynamic NAT" in the outgoing policy - either the interface IP or a given IP pool with just one address. That should enable you to differentiate return traffic (natted to the VIP) from outgoing traffic (natted to the IP pool).

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

2905

Thanks very much! I' ve done a quick test and that looks like it will overcome our issues here. Much appreciated....

2905

That would be perfect! If it works for you, would you please post the How-To for others to follow?

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

2905

Yes - for future reference. Our ISP requires all outgoing traffic to come from our Firewall address. I' ve set up Virtual IPs for some servers (for incoming traffic) I then set a Dynamic IP Pool with the same IP address as the main Firewall outgoing IP address In the outgoing Firewall rules (Policy), under Enable NAT I selected ' Use Dynamic IP Pool' and selected the IP Pool set up above This then allows incoming traffic to come in to the servers via the Virtual IPs, but all outgoing traffic goes out on the one IP address. Thanks for pointing me in the right direction to solve this.

2905

You' re welcome. One simplification: if you just tick ' NAT' in the policy the IP address of the egress interface is used. This is just what you want so you can skip the IP pool here.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

2905

Hi! I have an issue which I may call it a Virtual IP issue: My Fortigate 311B has these ports: port1[Intranet],port2[DMZ], and port3[Internet] I have various types of traffic (Web, RDP, ...) coming in from the Intranet interface which is originated from clients with valid Internet addresses (routers in the intranet handle the routing); I have virtual IPs sending traffic coming from Intranet interface to servers in my DMZ (I have a policy in place to allow that), now after the traffic has come back from my DMZ, and source NAT has taken place for the reply traffic, I have packets with the source address of my Intranet interface and destination address of Internet. Here' s my problem: When I had a Mikrotik RB1000 in place of Fortigate it did handle this traffic, but now Fortigate does not force the traffic to go back through the Intranet interface. this issue can be resolved by having a static default route like this: 0.0.0.0 -> port1 [Intranet Gateway IP addr] But I don' t want to have a default route to my Intranet gateway, it does not seem logical to me! Please help ...!

2905

hi goftari, no need to hijack this thread - next time, open a new one please. Please check your policy ' intranet' ->' DMZ' and uncheck the ' NAT' checkbox. This will change the source address of reply traffic to the VIP used. edit: OK, OK, it' s not hijacking but cross-posting: http://support.fortinet.com/forum/tm.asp?m=94959 It' s best to choose the right forum (like this here, not the other) and post just once. Frequent fellow readers scan through ALL forums and will have a look at your issue anyway.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

2905

Sorry! I did open a new thread and nobody responded and as I really need this done and as I expected you replied faster (as I was looking in expert members score and as far as I mentioned you had the highest) May I continue on this thread to get my problem solved? or should I open a new thread? NAT is not enabled in my policy! By the way thanks for your prompt reply.

2905

Let' s continue here as this is the fitting forum for your question. As far as I can see the trouble is with source NAT. You can force a different source NAT in this way: - in Firewalls>IP pools, define a new IP pool with just one address: 172.18.0.100 - in the policy in which the VIP is used, - enable ' dynamic NAT' - select the IP pool you just created and test again. This will always change the source address of any egress traffic to the specified address.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

2905

Top Kudoed Authors

User

Count

1713

1093

752

447

231

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Copyright 2024 Fortinet, Inc. All Rights Reserved.