Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Aleksandr
New Contributor

Question in VIP firewall and NAT

Hi,

 

i been tasked to solve the problem in Forti 60F configuration. As i never worked with VIP here, so maybe someone could point where is the problem. Here is what must be done:

Controller 1 and 2 has IP addresses: 172.22.22.194 and 172.22.22.195; GW is 172.22.22.206

FW configuration regarding the are like this:

 

edit "vlan 172"
set vdom "****"
set ip 172.22.22.194 255.255.255.240
set allowaccess ping
set alias "scalit"
set estimated-upstream-bandwidth 100000
set estimated-downstream-bandwidth 100000
set role wan
set snmp-index 10
set secondary-IP enable
set interface "wan1"
set vlanid 172
config secondaryip
edit 1
set ip 172.22.22.195 255.255.255.240
set allowaccess ping
next
end

 

 

edit "172.22.22.206"
set uuid 86e0d2c2-ed36-51ec-69b1-611fb6a18871
set type iprange
set associated-interface "WAN_scalit"
set start-ip 172.22.22.206
set end-ip 172.22.22.206

 

config firewall ippool
edit "172.22.22.194-10.89.48.1"
set type fixed-port-range
set startip 172.22.22.194
set endip 172.22.22.194
set source-startip 10.89.48.1
set source-endip 10.89.48.1
next
edit "172.22.22.195-10.89.48.2"
set type fixed-port-range
set startip 172.22.22.195
set endip 172.22.22.195
set source-startip 10.89.48.2
set source-endip 10.89.48.2
next

 

config firewall vip
edit "NAT 172.22.22.194-10.89.48.1"
set uuid 1e7ceb0c-0812-51ed-11db-7c19c7a3060e
set extip 172.22.22.194
set extintf "vlan 172"
set mappedip "10.89.48.1"
next
edit "NAT 172.22.22.195-10.89.48.2"
set uuid 649d34a2-0812-51ed-5348-50612e76170a
set extip 172.22.22.195
set extintf "vlan 172"
set mappedip "10.89.48.2"

 

 

config firewall policy
edit 1
set name "NAT 172.22.22.194"
set uuid 43e787b6-0813-51ed-c2eb-5e2ea94095b9
set srcintf "WAN_scalit"
set dstintf "scalit Lan"
set srcaddr "all"
set dstaddr "NAT 172.22.22.194-10.89.48.1"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "NAT 172.22.22.195"
set uuid 7d07c20e-0813-51ed-70dd-af11e32461e7
set srcintf "WAN_scalit"
set dstintf "scalit Lan"
set srcaddr "all"
set dstaddr "NAT 172.22.22.195-10.89.48.2"
set action accept
set schedule "always"
set service "ALL"
next
end

 

config router static
edit 1
set dst 192.168.55.0 255.255.255.0
set gateway 172.22.22.206
set device "vlan 172"

 

the problem here is that another company can see 172.22.22.195, but not 172.22.22.194

and when they trace both IP, they see same MAC address (i suppose because both are one same FW port).

 

from what i read, i need to remove secondary IP on FW port and after that NAT will work as it should.

But why IP addresses are same on FW and on controllers? maybe i need to change IP on controllers on same subnet of 172.22.22.XX additionally.

1 Solution
gfleming

It won't create a conflict unless you have other services listening on that IP address. If you do, you can narrow down the VIP for port forwarding only that way only specific ports will be forwarded on that IP address. Up to you on what you need to do.

 

So in summary here's what you need:

 

1. VIP with ext-intf defined as the interface that is "listening" for the inbound packets

2. Policy with source int the same as ext-intf from VIP and dest intf the downstream interface where the resources exist

3. VIP as defined in step 1. used as "Destination Address" in Policy defined in step 2.

 

 

Cheers,
Graham

View solution in original post

6 REPLIES 6
gfleming
Staff
Staff

You definitely do not need the secondary IP on the interface to do the DNAT using VIP. As long as your VIP object is assigned to the interface and has the extip configured it will respond to ARP for that IP address.

 

Now your config looks a little off but it's not totally clear how you want this to work. You have VLAN interface with 172.22.22.194 IP address assigned. But your policy does not reference that interface (only WAN and LAN).

 

Can you give us a topology of traffic flows and how you want the NAT to work?

 

When you say "controllers" what do you mean? The IP address of the "controller" you are mentioning is belonging to a VLAN interface on your FW. So perhaps these controllers have different IP addresses and you want to NAT the 172.22.22.19X addresses coming in on VLAN 172 to them on the different interface?


hard to say based on your config and description. so really would be useful to get more details including topology diagram and traffic flow.

Cheers,
Graham
Aleksandr

Hi,

 

from what i have. NAT :

172.22.22.194 -> NAT -> 10.89.48.1

172.22.22.195 -> NAT -> 10.89.48.2

 

And if I understand correctly, controllers (endpoint device for electricity, send some type of measurements to monitoring station) have 10.89.48.1 and 10.89.48.2 IP addresses. I received wrong information about same IP on FW and controllers.

 

edit "scalit_LAN"
set vdom "***"
set ip 10.89.48.6 255.255.255.248
set allowaccess ping https ssh fabric
set type hard-switch
set alias "LAN"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 16

 

config system zone
next
edit "scalit Lan"
set interface "scalit"
next
end

 

By documents, 10.89.48.6/29 - is in VLAN71, but in the configuration, I do not see VLAN ID 71 anywhere in FW. I suspect there is some sort of switch in between FW and controllers that has 71VLANID, but still, FW should have that VLANID interface written also.

 

by the looks at the moment, I need on FW remove secondary IP address on interface VLAN142 (must be removed IP 172.22.22.195 255.255.255.240).

Must be added VLANID72 on interface scalit_LAN (as it is not written).

 

As interface VLAN142 also has primary IP 172.22.22.194 and VIP also has this IP, should I change IP on interface, lets say to 172.22.22.196, so interface and VIP would have different IP?

gfleming

VLAN 71 might be untagged on the connection to the Firewall from the switch. So the firewall does not need to do anything about knowing about or tagging VLAN71. scalit_LAN interface will exist in VLAN71 based on downstream switch config. I'm only basing that on the subnet that exists in scalit_LAN interface and your documentation.

 

So if the packets are coming in on VLAN172 (you said VLAN142 but I think you mean VLAN172?) then yes you do not need secondary IP. VIP will cause FW to reply to ARP requests on that interface.

 

All you need are two VIP objects as you have them configured already (Per above config output).

 

Create two policies with inbound int. VLAN172 and outbound int. scalit_LAN with the destination of the VIP.

 

Now anytime request comes in for the 172.22.22.19X IP it will be DNAT to the 10.89.48.X IP.

 

There's really good documentation about how DNAT works with VIPs here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/510402/static-virtual-ips

 

Cheers,
Graham
Aleksandr

For the switch. In the config of FW here in bold:

edit "scalit_LAN"
set vdom "***"
set ip 10.89.48.6 255.255.255.248
set allowaccess ping https ssh fabric
set type hard-switch
set alias "LAN"

 

hardware switch is set. So i suspect there is no additional switch between FW and controllers.

 

config system virtual-switch

edit "scalit"
set physical-switch "sw0"
config port
edit "internal1"
next
edit "internal2"
next
end
next

 

Yes, you are correct, vlan id 172, 142 was a typo. But i still refer here this. FW interface has same IP as VIP IP 172.22.22.194. Does not that create IP conflict?

edit "vlan 172"
set vdom "****"
set ip 172.22.22.194 255.255.255.240

 

and

 

config firewall vip
edit "NAT 172.22.22.194-10.89.48.1"
set uuid 1e7ceb0c-0812-51ed-11db-7c19c7a3060e
set extip 172.22.22.194
set extintf "vlan 172"
set mappedip "10.89.48.1"

 

I will remove secondary IP on interface. And the create 2 rules like here:

 

config firewall policy

edit3

set name "vlan 172" -> "scalit_LAN"
set srcintf "vlan 172"
set dstintf "scalit_LAN"
set srcaddr "172.22.22.194"
set dstaddr "10.89.48.1"
set action accept
set schedule "always"
set service "ALL"

 

and

 

edit4

set name "vlan 172" -> "scalit_LAN"
set srcintf "vlan 172"
set dstintf "scalit_LAN"
set srcaddr "172.22.22.195"
set dstaddr "10.89.48.2"
set action accept
set schedule "always"
set service "ALL"

 

But is not done here? Because it looks exactly as in document you have provided.

 

config firewall vip
edit "NAT 172.22.22.194-10.89.48.1"
set uuid 1e7ceb0c-0812-51ed-11db-7c19c7a3060e
set extip 172.22.22.194
set extintf "vlan 172"
set mappedip "10.89.48.1"
next
edit "NAT 172.22.22.195-10.89.48.2"
set uuid 649d34a2-0812-51ed-5348-50612e76170a
set extip 172.22.22.195
set extintf "vlan 172"
set mappedip "10.89.48.2"

 

 

config firewall policy
edit 1
set name "NAT 172.22.22.194"
set uuid 43e787b6-0813-51ed-c2eb-5e2ea94095b9
set srcintf "WAN_scalit"
set dstintf "scalit Lan"
set srcaddr "all"
set dstaddr "NAT 172.22.22.194-10.89.48.1"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "NAT 172.22.22.195"
set uuid 7d07c20e-0813-51ed-70dd-af11e32461e7
set srcintf "WAN_scalit"
set dstintf "scalit Lan"
set srcaddr "all"
set dstaddr "NAT 172.22.22.195-10.89.48.2"
set action accept
set schedule "always"
set service "ALL"
next
end

gfleming

It won't create a conflict unless you have other services listening on that IP address. If you do, you can narrow down the VIP for port forwarding only that way only specific ports will be forwarded on that IP address. Up to you on what you need to do.

 

So in summary here's what you need:

 

1. VIP with ext-intf defined as the interface that is "listening" for the inbound packets

2. Policy with source int the same as ext-intf from VIP and dest intf the downstream interface where the resources exist

3. VIP as defined in step 1. used as "Destination Address" in Policy defined in step 2.

 

 

Cheers,
Graham
Aleksandr

Had time to make configuration on FW. Basically removed secondary IP and additionally change 1 VIP address, so interface in VIP IP would be different. Had same problem. But it was from controller point, as it has it's own FW there and only responds to specific IP.

So i think FW Forti problem is solved and thank you.

Labels
Top Kudoed Authors