Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dariopalermo76
New Contributor

SNAT+DNAT and routing issue when SD-WAN enable

Hi guys,

I'm having an issue with a snat+dnat configuration to an ipsec tunnell on a Fortigate with SD-WAN enabled. Let me explain... that's what I have:

 

  • an interface, let's call it "PROJECT" with address 10.238.157.1/29
  • an host on that network with IP address 10.238.157.3
  • an ipsec vpn tunnell called "VPN_CUSTOMER"
  • on the other side of the tunnel, this IP: 10.128.0.4/32
  • an IP Pool of type One-to-One and range 172.31.100.3-172.31.100.3 called SNAT-CLIENT
  • a VIP with external IP 10.238.157.204 and IPv4 address 10.128.0.4 called NAT-DC1
  • a policy that allows any service from from the host 10.238.157.3 to the VIP NAT-DC1 using SNAT-CLIENT as NAT IP Pool
  • a static route for 10.238.157.128/25 pointing to the VPN tunnel VPN_CUSTOMER
  • SD-WAN enabled on my Fortigate

 

the goal is to snat my host 10.238.157.3 as 172.31.100.3 when communicating with a custiomer's host that has a real ip of 10.128.0.4 without having that particular destination in my routing table so I need also to dnat it as 10.238.157.204.

 

This configuration I made will not work. Here's a debug flow of what happens:

 

diagnose debug flow filter daddr 10.238.157.204
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug console timestamp enable
diag debug flow trace start 999
diag debug enable

 

2023-07-05 08:11:08 id=20085 trace_id=237 func=print_pkt_detail line=5851 msg="vd-root:0 received a packet(proto=1, 10.238.157.3:1->10.238.157.204:2048) tun_id=0.0.0.0 from PROJECT. type=8, code=0, id=1, seq=3271."
2023-07-05 08:11:08 id=20085 trace_id=237 func=init_ip_session_common line=6023 msg="allocate a new session-0013ff16, tun_id=0.0.0.0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_check line=5337 msg="in-[PROJECT], out-[]"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_tree_check line=827 msg="len=1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-100000 policy-4"
2023-07-05 08:11:08 id=20085 trace_id=237 func=get_new_addr line=1225 msg="find DNAT: IP-10.128.0.4, port-0(fixed port)"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_dnat_policy line=5293 msg="matched policy-4, act=accept, vip=4, flag=104, sflag=2000000"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-4, ret-matched, act-accept, flag-00000104"
2023-07-05 08:11:08 id=20085 trace_id=237 func=fw_pre_route_handler line=181 msg="VIP-10.128.0.4:1, outdev-unknown"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__ip_session_run_tuple line=3488 msg="DNAT 10.238.157.204:8->10.128.0.4:1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=rpdb_srv_match_input line=1038 msg="Match policy routing id=2136277011: to 10.128.0.4 via ifindex-36"
2023-07-05 08:11:08 id=20085 trace_id=237 func=vf_ip_route_input_common line=2606 msg="find a route: flag=04000000 gw-93.39.202.27 via AxIt_1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_check line=785 msg="in-[PROJECT], out-[AxIt_1], skb_flags-020000c0, vid-4, app_id: 0, url_cat_id: 0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=4"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-81, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-50, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-64, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2243 msg="policy-0 is matched, act-drop"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_check line=822 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_auth_check line=841 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=fw_forward_handler line=719 msg="Denied by forward policy check (policy 0)"

 

AxIt_1 is a SD-WAN zone member.

 

If I set up a static route for the real destination IP with the VPN tunnel as gateway, it works:

 

2023-07-05 08:13:47 id=20085 trace_id=238 func=print_pkt_detail line=5851 msg="vd-root:0 received a packet(proto=1, 10.238.157.3:1->10.238.157.204:2048) tun_id=0.0.0.0 from PROJECT. type=8, code=0, id=1, seq=3272."
2023-07-05 08:13:47 id=20085 trace_id=238 func=init_ip_session_common line=6023 msg="allocate a new session-0014020a, tun_id=0.0.0.0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_check line=5337 msg="in-[PROJECT], out-[]"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_tree_check line=827 msg="len=1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-100000 policy-4"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1225 msg="find DNAT: IP-10.128.0.4, port-0(fixed port)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_dnat_policy line=5293 msg="matched policy-4, act=accept, vip=4, flag=104, sflag=2000000"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-4, ret-matched, act-accept, flag-00000104"
2023-07-05 08:13:47 id=20085 trace_id=238 func=fw_pre_route_handler line=181 msg="VIP-10.128.0.4:1, outdev-unknown"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__ip_session_run_tuple line=3488 msg="DNAT 10.238.157.204:8->10.128.0.4:1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=vf_ip_route_input_common line=2606 msg="find a route: flag=04000000 gw-83.149.159.244 via VPN_CUSTOMER"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_check line=785 msg="in-[PROJECT], out-[VPN_CUSTOMER], skb_flags-020000c0, vid-4, app_id: 0, url_cat_id: 0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=6"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-47, ret-matched, act-accept"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1179 msg="find SNAT: IP-172.31.100.3(from IPPOOL:SNAT-CLIENT)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_policy line=2243 msg="policy-47 is matched, act-accept"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_check line=822 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-47"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_auth_check line=841 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-47"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_reverse_dnat_check line=1302 msg="in-[PROJECT], out-[VPN_CUSTOMER], skb_flags-020000c0, vid-4"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_reverse_dnat_tree_check line=919 msg="len=1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_reverse_dnat_policy line=1243 msg="checking gnum-100002 policy-4294967295"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1225 msg="find DNAT: IP-172.31.100.3, port-0(fixed port)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_reverse_dnat_policy line=1256 msg="new-ip=172.31.100.3, new-port=0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=fw_forward_handler line=885 msg="Allowed by Policy-47: SNAT"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__ip_session_run_tuple line=3474 msg="SNAT 10.238.157.3->172.31.100.3:1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VPN_CUSTOMER, tun_id=0.0.0.0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VPN_CUSTOMER"
2023-07-05 08:13:47 id=20085 trace_id=238 func=esp_output4 line=844 msg="IPsec encrypt/auth"
2023-07-05 08:13:47 id=20085 trace_id=238 func=ipsec_output_finish line=546 msg="send to 192.168.1.1 via intf-wan2"

 

But putting the real network in my routing table voids the purpose of the DNAT.

 

What's wrong with my configuration? Thanks in advance for any suggestion.

 

Bye,

Dario

1 Solution
dariopalermo76

Hi Anthony,

I was going to comment on my own post because I was on a wrong path from the beginning.

The dnat is following the route to the real destination address as it should, it's not meant to hide the real addresses from the fortigate. To do what I want, the DNATs should be configured on the other side of the tunnel. Another solution, the one that I adopted, was moving the tunnel and the dnats to a different fortigate that doesn't need to connect to the overlapping networks on my side.

 

Thanks anyway for taking interest in my post.

 

Bye

Dario

View solution in original post

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello Dario,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
dariopalermo76

Hi Anthony,

I was going to comment on my own post because I was on a wrong path from the beginning.

The dnat is following the route to the real destination address as it should, it's not meant to hide the real addresses from the fortigate. To do what I want, the DNATs should be configured on the other side of the tunnel. Another solution, the one that I adopted, was moving the tunnel and the dnats to a different fortigate that doesn't need to connect to the overlapping networks on my side.

 

Thanks anyway for taking interest in my post.

 

Bye

Dario

Anthony_E
Community Manager
Community Manager

Hi Dario :)!

 

I m glad to read it :)!

 

Hope to read you soon :)!

Anthony-Fortinet Community Team.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors