Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Problems configuring DNAT sourced on the insid...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems configuring DNAT sourced on the inside interface
We currently have two sites, Site A and Site B, with identical destinations defined over separate VPN tunnels. Each site has a separate SNAT range using different IP addresses, so they know which location/route to send traffic back to. Both of our firewalls are setup as Central SNAT, and they are running 7.4.6.
We're about to implement a new solution that requires us to change the destination IP range at Site B, so that the new system can check each path for dropped packets, latency, etc., and then it will send the traffic over the best path. For example, our internal host 192.168.1.1 currently sends to VendorA host 192.168.2.55. Traffic to VendorA is advertised exactly the same to both of our sites, but SiteA is the preferred site. SiteB will only be used if SiteA goes down. This won't work with the new system.
What we need to do is to keep the destination for VendorA going out SiteA as 192.168.2.55, but we need to change the VendorA subnet going out SiteB as 192.168.3.55. I attempted that using DNAT on the inside interface for a single host, e.g. I created a VIP for DNAT on the inside interface, so that any traffic destined to 192.168.3.55 on our internal network would be DNATed to 192.168.2.55 before entering the tunnel, although 192.168.2.55 is still what is being advertised out SiteA. Our new system would check the path for 192.168.2.55 and 192.168.3.55 to determine if the traffic should go out SiteA or SiteB, but the traffic would end up at the same destination at VendorA's data center.
Using DNAT on the inside interface, I wasn't able to get the traffic out SiteB. After some frustration, I opened a support ticket and was told DNATs don't work this way, and I can't do this on the inside interface. I didn't understand the logic of the support engineer, and finally closed the ticket. Even internal discussions with the other members of the firewall team hasn't produced a working result, but again I was told my logic is incorrect. I just can't wrap my head around what is wrong. I realize DNATs are normally used on the outside interface, but I don't understand why can't they be used on the inside interface, or any interface for that matter.
My question: How do I configure SiteB so that our host 192.168.1.1 can send to 192.168.2.55 for SiteA and 192.168.3.55 for SiteB, but then change the NAT to where the encryption domain has 192.168.2.55 on both sites?
Labels:
- Labels:
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to follow along, are you wanting to apply the NAT when the traffic is egressing your firewall or ingressing? maybe easier to understad with a quick drawing if you could.
When you set up your VIP did you specify an extinf or srcintf-filter?
::: If a solution is helpful, don't forget to give kudos or Accept as Solution for others. :::
::: If a solution is helpful, don't forget to give kudos or Accept as
Solution for others. :::
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the delay, but I've been out of town and not paying attention to electronics.
The important piece of info is that the firewall needs to do a DNAT on the ingress (inside) interface. Traffic destined to 192.168.3.55 on the inside firewall interface needs to be DNATed to 192.168.2.55 before traversing a VPN tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created this over to the "life of a packet diagram" once for a customer to better explain how IPS are used in relationship to the life of a packet. As you can see the DNAT trnslation happens after the IPSEC Tunnel, so when tunnels are built, they need to be build with the DNAT Virtual IP and the Source IP, not the translated DNAT. Firewall policies however are written based on the real source and destination IP as far as the firewall knows them, so this can sometimes cause confusion. Hopefully this diagram can help explain some things for you.
::: If a solution is helpful, don't forget to give kudos or Accept as Solution for others. :::
::: If a solution is helpful, don't forget to give kudos or Accept as
Solution for others. :::
Labels
-
FortiGate
10,695 -
FortiClient
2,183 -
FortiManager
898 -
5.2
687 -
FortiAnalyzer
685 -
5.4
638 -
FortiSwitch
592 -
FortiClient EMS
572 -
FortiAP
564 -
IPsec
427 -
6.0
416 -
SSL-VPN
387 -
FortiMail
374 -
5.6
362 -
FortiNAC
290 -
FortiWeb
253 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
199 -
FortiAuthenticator
180 -
FortiGuard
160 -
5.0
152 -
Firewall policy
146 -
FortiGate-VM
136 -
6.4
128 -
FortiCloud Products
117 -
FortiSIEM
114 -
FortiToken
114 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
87 -
FortiProxy
79 -
ZTNA
77 -
Routing
75 -
SAML
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
70 -
BGP
70 -
FortiADC
68 -
Certificate
67 -
RADIUS
62 -
LDAP
61 -
FortiLink
57 -
NAT
55 -
SSO
54 -
FortiSandbox
53 -
FortiExtender
52 -
VDOM
50 -
4.0MR3
49 -
Interface
48 -
Application control
46 -
FortiDNS
43 -
Virtual IP
42 -
Logging
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
37 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
31 -
FortiGate v5.2
28 -
API
27 -
Traffic shaping
26 -
Static route
26 -
Fortigate Cloud
25 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
FortiSoar
18 -
IP address management - IPAM
18 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
FortiGate v5.0
15 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v4.0
13 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2626 | |
| 1400 | |
| 810 | |
| 672 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.