Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
baylonjmj
New Contributor

OUTBOUND POLICY is being source natted to a different public IP address

Hi All,

 

Have you encountered this scenario?

I am using a FortiOS 5.4.3, FG300D, an Allow any internal user OUT, Natted to the firewall interface IP.

There is also an inbound rule for a specific user/device using a VIP that is not the interface IP.

 

Whenever that specific device is accessing the internet (outbound) that IP is natted to its VIP ip instead of the interface IP.

There is no IP pool configured on the firewall and there is no special rule for that specific device to go out. Firewall logs is saying it is being sourcenatted and the action made is timedout.

 

Would you know the proper way to fix this?

 

TIA

 

-Lehac

8 REPLIES 8
emnoc
Esteemed Contributor III

The cli cmd diag debug flow  is your friend. Inspect your fwpolicy  and take action  on what's present or not.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
baylonjmj
New Contributor

Hi Emnoc,

 

Yup I've done that and the firewall is just dropping the packet saying status "timedout"

it's just wierd that the the outbound rule is source natted to a VIP ip address  even though the firewall policy is saying use the interface IP. That VIP ip is not even configured as an IP pool and not used for any outbound traffic. 

 

I am just crowdsourcing if this is a pretty common behaviour on a Fortigate firewall

 

-lehac

emnoc
Esteemed Contributor III

That does not make sense, the diag debug flow should a match  or deny . Can you post the output ( debug )  and the fwpolicy(s) involved? ( the output of  deiag debug flow and where it says SNAT  and the full firewall policy

 

 

e.g

 

show full firewall policy <xxxx>

 

show full firewall vip < xxxxxxxxxxxxxx>

 

Xs = policyid# and or name as it related to vip

 

)

 

 

So in your case, you have a DNAT-VIP being matched on outside  traffic ? and that timeout ? Also  do you have set set nat-source-vip enable on the VIP or  central nat?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
baylonjmj

Hi All,

 

The inbound DNAT-VIP is working fine but its just weird that the outbound traffic for that specific internal server is natted to the public IP used on that VIP. Even though the outbound policy says use the interface IP. 

 

i'll post the debug after this. 

 

-lehac

baylonjmj

 

Hi Guys,

 

Sorry I can't get a hold of the customer to simulate the traffic for packet capture. 

I have attached here the screen capture instead of the timedout traffic being SNATTED to a public IP 166.*.*.* eventhough the policy says use the interface IP which is 124.*.*.*

 

-lehac

emnoc
Esteemed Contributor III

do a show full | grep 166.  do you have that configured in  the firewall.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
baylonjmj

Hi Emnoc. 166 is just used for the inbound VIP, no IP Pool, no outbound rules for it. A colleague indeed confirmed that this has been resolved by removing the one-to-one VIP on a previous issue. 

Retro
New Contributor

what does the VIP do for the inbound traffic?

 

have you tried to create a outbound policy just for the single source and put it highest in the sequence? if so what happens?

 

Can you post a debug output?

Top Kudoed Authors