- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Public IP in internal NAT with IP Pools - Comp...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Public IP in internal NAT with IP Pools - Complex Config
Hi, I have a small network where all my equipment has private IP addresses (10.x.x.x) and I am using a Fortigate 300C.
I have a special need where I need to use a public IP address (e.g. A.A.A.A) to talk to an equipment that is configured just to reply to that address. My server talks to that equipment by means of a NAT using IP Pool (with only that address A.A.A.A), and it works great. My server is also accessible with a VIP from the Internet and it works great. Problem is that if that particular public IP Address (A.A.A.A) tries to access my server from the Internet the Fortigate doenst seem to know how to handle it... The packets doesnt seem to reach the server and looking through the Fortigate sniffer on that port, I just see SYN, SYN/ACK, RST.
I have tried disabling the NAT, but the only thing that returns the ability of the A.A.A.A address to reach the server from the outside is to delete the IP Pool where it is defined. Just entering this IP Pool again (without any associated Policy) causes the same error.
I am trying to setup a kind of a proxy server that talks to this measuring equipment and is reachable transparently by the same public address, so its important to figure out a way to let A.A.A.A reach my new intermediary server.
[special equipment port 5] <- NAT IP POOL with A.A.A.A. - < [server port 7] <- VIP -< [wan port 9] --- [INTERNET]
I realize that this is unusual and a complex configuration, but after spending many hours, wanted to see if there are any ideas and if the Fortigate can handle this.
What exactly is the treatment of IP Pools by the Fortigate and why would it affect the VIP on another port?
Thanks!
Joe
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Joe,
Its confusing. Can you please elaborate with a network diagram attached.. ...Will love to help
Thanks
Rohit
Rohit K
Rohit K
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You mention that "looking through the Fortigate sniffer on that port, I just see SYN, SYN/ACK, RST.
If I understand correctly, the source IP address of the TCP SYN is a public IP address = A.A.A.A and the destination IP address is your internal server.
So the TCP SYN/ACK will have a destination IP address = A.A.A.A which is an IP pool address . The problem is that this session has not been source natted so the kernel would not try to dnat this packet and should simply try to route this TCP SYN/ACK . The issue is that by default ARP reply is enabled in IP pools, so it means that the this destination IP address is seen as "belonging" to the FGT. It means that the kernel would try to route the packet to the FGT itself. So the TCP RST sent from FGT to server
You can try to disable ARP reply in your IP pool, it may help as this IP address would no longer be seen as belonging to the FGT
Thanks
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Joe,
Maybe someone else will have a clearer understanding of your post but I'm struggling to follow. The way I read this part
My server is also accessible with a VIP from the Internet and it works great. Problem is that if that particular public IP Address (A.A.A.A) tries to access my server from the Internet the Fortigate doenst seem to know how to handle it...
makes it sound like you're spoofing a public IP that actually exists elsewhere on the Internet, but I don't think that's what you mean.
I have a couple possible theories, but first I'd like to clarify two things...in your topology explanation, is that supposed to be 3 different physical ports involved? To my knowledge that is not even theoretically possible. If the destination is on port5, and the source is port9, port7 would not be involved. So from a policy & object standpoint, you'd need to make sure configurations were correct for port9 --> port5. This might include that the VIP object needs to have an "interface" of "any" set, which is the default.
Another point that you probably know is that NAT pools have no bearing on inbound traffic. When the special equipment connects out to the Internet, it uses the NAT pool and of course return traffic (i.e. SYN,ACK step in 3-way handshake) is matched and NAT'd statefully with no need for a VIP. VIPs are the only objects that have any bearing on inbound traffic, but it sounds like you have that working normally so I'm back to being confused at what your special situation here is that's not working.
If you can clarify I would love to help. - Daniel Hamilton
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Daniel,
Thanks for your reply. I think you got it. I am indeed spoofing an IP address that exists in the Internet. The measuring equipment is configured to just respond to this specific Internet address, but the values it sends are wrong scaled. Since we can't touch the configuration of that equipment, I have a server that impersonates that IP (through NAT) gets the information from the equipment, scales it correctly and then through a VIP answers to the Internet when questioned for the info, as it was the measuring equipment. Everything works fine EXCEPT if the IP Address from the Internet is the same one that I am impersonating internally. Then it doenst work. Looks to me at something to do with the definition of this IP inside the IP Pools Object.
There are indeed three ports involved in the complete configuration, but I tried to represent everything that is going on, not that it happens at the same time or for the same packet flow. There is a NAT from port 7 to port 5 and there is a VIP from port 9 to port 7.
The measuring equipment will not need internet access if it just answers to my server and sends the information that is all it is needed from it. The server will be the one responding queries from the Internet.
I know it's a complex configuration, but a real world problem...
Hope this explains it better.
-Joe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Joe,
Its confusing. Can you please elaborate with a network diagram attached.. ...Will love to help
Thanks
Rohit
Rohit K
Rohit K
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure.
FInd attached a very basic diagram. Hope this helps make more sense out of it.
Problem resides in that I need to impersonate a public address internally (NAT with IP Pools), but if that address ever tries to talk to my server, it cant. As soon as I define that address on the IP Pools, it is not able to reach my server. The internal spoofing keeps on working and all other addresses access my server fine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Let's simply your problem if I have understood it correctly - IP addresses are assumptions.
One computer outside of your control with public IP address - 172.35.16.50
Your server lan ip - 10.10.10.10
Your server public ip (which is used to reach the server from internet) -172.100.10.10
For allowing 172.35.16.50 to reach 10.10.10.10 from internet -
Create a VIP - external IP 172.100.10.10, Mapped IP - 10.10.10.10
Now create a firewall rule which does destination nat by using VIP, this rule allows only incoming trafik from the internet to that specific server.
Src Interface - (wan/internet facing interface)
Src - Address - 172.35.16.50
Dst interface - (lan/server's private ip facing interface)
Dst Address - VIP
Service - Your required TCP/udp ports
NAT - NO
If you need to allow outgoing trafik from the internal server to 172.35.16.50 in internet, make another rule with IP pool which does source nat.
Src Interface - (lan/server's private ip facing interface)
Src - Address - 10.10.10.10
Dst interface - (wan/internet facing interface)
Dst Address - 172.35.16.50
Service - Your required TCP/udp ports
NAT - Yes, with your IP POOL
It should work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sajiby3k,
You understood the first part. With 172.35.16.50 (following your example) accessing my Server with a VIP. That is configured and it works. Now the second part is not my server outgoing traffic and I will try to explain that part more thoroughly:
I have a measuring equipment with an internal address (lets call him B) that is configured (outside my control to change) to just answer to that one public address (172.35.16.50). I want my server (lets call him A) to extract info from that equipment (B) and not let B talk to anyone else. The only way B will respond to A, it's if I do a NAT internally and make B think it's 172.35.16.50 talking to it. This works doing a NAT with IP Pools, and it works well.
But when I set the IP Pool with that Public address, and the same address tries to enter with the VIP, it doesn't work...
To summarize, and to expand your example, we have:
X (Any Public internet)
Y (Specific Public IP 172.35.16.50)
B (Measuring Equipment 10.10.10.50 GW 10.10.10.1 (port 5) HardCoded to only answer to address Y)
A (My server 10.10.20.20 GW 10.10.20.1 (port 7) )
I have VIP - external IP 172.100.10.10, Mapped IP - 10.10.20.20 (works)
and I have a policy with when 10.10.20.20 goes to 10.10.10.50 to NAT using IP Pool specifying 172.35.16.50 as source. this works.
Now with both rules active, if X access through the WAN using the VIP to my server, everything works fine. If the real Y address comes through the WAN, it clashes with the IP Pool and it doesn't work.
How can I make my server the transparent man in the middle?
Hopefully this time it's more clear...
Joe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You mention that "looking through the Fortigate sniffer on that port, I just see SYN, SYN/ACK, RST.
If I understand correctly, the source IP address of the TCP SYN is a public IP address = A.A.A.A and the destination IP address is your internal server.
So the TCP SYN/ACK will have a destination IP address = A.A.A.A which is an IP pool address . The problem is that this session has not been source natted so the kernel would not try to dnat this packet and should simply try to route this TCP SYN/ACK . The issue is that by default ARP reply is enabled in IP pools, so it means that the this destination IP address is seen as "belonging" to the FGT. It means that the kernel would try to route the packet to the FGT itself. So the TCP RST sent from FGT to server
You can try to disable ARP reply in your IP pool, it may help as this IP address would no longer be seen as belonging to the FGT
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This makes a lot of sense with what I am seeing. How do you turn off the arp reply from the IP Pools? Any way to do it on the GUI or it's a CLI trick?
Can this break anything else? I wouldn't expect it to... Since the address on the IP Pools in not a local subnet, hence no one needs to reach it via ARP...
BIG THANK YOU for the suggestion!
-Joe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you should be able to disable arp-reply in GUI and CLI when editing the ippool. In CLI , just do a get to see the parameters.
Arp-reply is a "new" parameter since 4.x which was added for a customer interested to source NAT packet with an IP address existing on an external station. Before this, arp-reply was by default enabled. After this new parameter was introduced, customer could disable arp-reply to not have any conflict with an IP address belonging to a station and to the FGT
In your case, I don't believe there is any problem to disable arp-reply. To my knowledge having arp-reply enabled is useful for example in situation like you have : to detect tcp syn/ack from server with a destination IP address equal to an IP pool address with the tcp syn from client not source natted . This situation should not arrive in most common cases.
As you are in a special case, I think that disablng arp-reply should help
Related Posts
Labels
-
FortiGate
6,482 -
FortiClient
1,293 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
330 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
86 -
FortiCloud Products
82 -
FortiToken
69 -
IPsec
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSL SSH inspection
5 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.