Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albaker1
Contributor

Problems configuring DNAT sourced on the inside interface

We currently have two sites, Site A and Site B, with identical destinations defined over separate VPN tunnels. Each site has a separate SNAT range using different IP addresses, so they know which location/route to send traffic back to. Both of our firewalls are setup as Central SNAT, and they are running 7.4.6.

 

We're about to implement a new solution that requires us to change the destination IP range at Site B, so that the new system can check each path for dropped packets, latency, etc., and then it will send the traffic over the best path. For example, our internal host 192.168.1.1 currently sends to VendorA host 192.168.2.55. Traffic to VendorA is advertised exactly the same to both of our sites, but SiteA is the preferred site. SiteB will only be used if SiteA goes down. This won't work with the new system.

 

What we need to do is to keep the destination for VendorA going out SiteA as 192.168.2.55, but we need to change the VendorA subnet going out SiteB as 192.168.3.55. I attempted that using DNAT on the inside interface for a single host, e.g. I created a VIP for DNAT on the inside interface, so that any traffic destined to 192.168.3.55 on our internal network would be DNATed to 192.168.2.55 before entering the tunnel, although 192.168.2.55 is still what is being advertised out SiteA. Our new system would check the path for 192.168.2.55 and 192.168.3.55 to determine if the traffic should go out SiteA or SiteB, but the traffic would end up at the same destination at VendorA's data center.

 

Using DNAT on the inside interface, I wasn't able to get the traffic out SiteB. After some frustration, I opened a support ticket and was told DNATs don't work this way, and I can't do this on the inside interface. I didn't understand the logic of the support engineer, and finally closed the ticket. Even internal discussions with the other members of the firewall team hasn't produced a working result, but again I was told my logic is incorrect. I just can't wrap my head around what is wrong. I realize DNATs are normally used on the outside interface, but I don't understand why can't they be used on the inside interface, or any interface for that matter.

 

My question: How do I configure SiteB so that our host 192.168.1.1 can send to 192.168.2.55 for SiteA and 192.168.3.55 for SiteB, but then change the NAT to where the encryption domain has 192.168.2.55 on both sites?

1 REPLY 1
distillednetwork
Contributor III

Trying to follow along, are you wanting to apply the NAT when the traffic is egressing your firewall or ingressing?  maybe easier to understad with a quick drawing if you could.

 

When you set up your VIP did you specify an extinf or srcintf-filter? 

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors