Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albaker1
Contributor

Created on ‎09-30-2025 12:06 PM

Problems configuring DNAT sourced on the inside interface

We currently have two sites, Site A and Site B, with identical destinations defined over separate VPN tunnels. Each site has a separate SNAT range using different IP addresses, so they know which location/route to send traffic back to. Both of our firewalls are setup as Central SNAT, and they are running 7.4.6.

 

We're about to implement a new solution that requires us to change the destination IP range at Site B, so that the new system can check each path for dropped packets, latency, etc., and then it will send the traffic over the best path. For example, our internal host 192.168.1.1 currently sends to VendorA host 192.168.2.55. Traffic to VendorA is advertised exactly the same to both of our sites, but SiteA is the preferred site. SiteB will only be used if SiteA goes down. This won't work with the new system.

 

What we need to do is to keep the destination for VendorA going out SiteA as 192.168.2.55, but we need to change the VendorA subnet going out SiteB as 192.168.3.55. I attempted that using DNAT on the inside interface for a single host, e.g. I created a VIP for DNAT on the inside interface, so that any traffic destined to 192.168.3.55 on our internal network would be DNATed to 192.168.2.55 before entering the tunnel, although 192.168.2.55 is still what is being advertised out SiteA. Our new system would check the path for 192.168.2.55 and 192.168.3.55 to determine if the traffic should go out SiteA or SiteB, but the traffic would end up at the same destination at VendorA's data center.

 

Using DNAT on the inside interface, I wasn't able to get the traffic out SiteB. After some frustration, I opened a support ticket and was told DNATs don't work this way, and I can't do this on the inside interface. I didn't understand the logic of the support engineer, and finally closed the ticket. Even internal discussions with the other members of the firewall team hasn't produced a working result, but again I was told my logic is incorrect. I just can't wrap my head around what is wrong. I realize DNATs are normally used on the outside interface, but I don't understand why can't they be used on the inside interface, or any interface for that matter.

 

My question: How do I configure SiteB so that our host 192.168.1.1 can send to 192.168.2.55 for SiteA and 192.168.3.55 for SiteB, but then change the NAT to where the encryption domain has 192.168.2.55 on both sites?

Labels:
158
0 Kudos
1 Solution
distillednetwork
Contributor III

Created on ‎10-07-2025 04:42 PM

I created this over to the "life of a packet diagram" once for a customer to better explain how IPS are used in relationship to the life of a packet.  As you can see the DNAT trnslation happens after the IPSEC Tunnel, so when tunnels are built, they need to be build with the DNAT Virtual IP and the Source IP, not the translated DNAT.  Firewall policies however are written based on the real source and destination IP as far as the firewall knows them, so this can sometimes cause confusion.  Hopefully this diagram can help explain some things for you.Screen Shot 2025-10-07 at 7.39.29 PM.png

::: If a solution is helpful, don't forget to give kudos or Accept as Solution for others. :::

View solution in original post

::: If a solution is helpful, don't forget to give kudos or Accept as Solution for others. :::
90
0 Kudos
3 REPLIES 3
distillednetwork
Contributor III

Created on ‎10-01-2025 04:01 AM

Trying to follow along, are you wanting to apply the NAT when the traffic is egressing your firewall or ingressing?  maybe easier to understad with a quick drawing if you could.

 

When you set up your VIP did you specify an extinf or srcintf-filter? 

::: If a solution is helpful, don't forget to give kudos or Accept as Solution for others. :::
::: If a solution is helpful, don't forget to give kudos or Accept as Solution for others. :::
148
0 Kudos
albaker1
Contributor
In response to distillednetwork

Created on ‎10-07-2025 10:21 AM

Sorry for the delay, but I've been out of town and not paying attention to electronics.

 

The important piece of info is that the firewall needs to do a DNAT on the ingress (inside) interface. Traffic destined to 192.168.3.55 on the inside firewall interface needs to be DNATed to 192.168.2.55 before traversing a VPN tunnel.

101
0 Kudos
distillednetwork
Contributor III

Created on ‎10-07-2025 04:42 PM

I created this over to the "life of a packet diagram" once for a customer to better explain how IPS are used in relationship to the life of a packet.  As you can see the DNAT trnslation happens after the IPSEC Tunnel, so when tunnels are built, they need to be build with the DNAT Virtual IP and the Source IP, not the translated DNAT.  Firewall policies however are written based on the real source and destination IP as far as the firewall knows them, so this can sometimes cause confusion.  Hopefully this diagram can help explain some things for you.Screen Shot 2025-10-07 at 7.39.29 PM.png

::: If a solution is helpful, don't forget to give kudos or Accept as Solution for others. :::
::: If a solution is helpful, don't forget to give kudos or Accept as Solution for others. :::
91
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.