Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: SNAT+DNAT and routing issue when SD-WAN enable
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SNAT+DNAT and routing issue when SD-WAN enable
Hi guys,
I'm having an issue with a snat+dnat configuration to an ipsec tunnell on a Fortigate with SD-WAN enabled. Let me explain... that's what I have:
- an interface, let's call it "PROJECT" with address 10.238.157.1/29
- an host on that network with IP address 10.238.157.3
- an ipsec vpn tunnell called "VPN_CUSTOMER"
- on the other side of the tunnel, this IP: 10.128.0.4/32
- an IP Pool of type One-to-One and range 172.31.100.3-172.31.100.3 called SNAT-CLIENT
- a VIP with external IP 10.238.157.204 and IPv4 address 10.128.0.4 called NAT-DC1
- a policy that allows any service from from the host 10.238.157.3 to the VIP NAT-DC1 using SNAT-CLIENT as NAT IP Pool
- a static route for 10.238.157.128/25 pointing to the VPN tunnel VPN_CUSTOMER
- SD-WAN enabled on my Fortigate
the goal is to snat my host 10.238.157.3 as 172.31.100.3 when communicating with a custiomer's host that has a real ip of 10.128.0.4 without having that particular destination in my routing table so I need also to dnat it as 10.238.157.204.
This configuration I made will not work. Here's a debug flow of what happens:
diagnose debug flow filter daddr 10.238.157.204
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug console timestamp enable
diag debug flow trace start 999
diag debug enable
2023-07-05 08:11:08 id=20085 trace_id=237 func=print_pkt_detail line=5851 msg="vd-root:0 received a packet(proto=1, 10.238.157.3:1->10.238.157.204:2048) tun_id=0.0.0.0 from PROJECT. type=8, code=0, id=1, seq=3271."
2023-07-05 08:11:08 id=20085 trace_id=237 func=init_ip_session_common line=6023 msg="allocate a new session-0013ff16, tun_id=0.0.0.0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_check line=5337 msg="in-[PROJECT], out-[]"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_tree_check line=827 msg="len=1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-100000 policy-4"
2023-07-05 08:11:08 id=20085 trace_id=237 func=get_new_addr line=1225 msg="find DNAT: IP-10.128.0.4, port-0(fixed port)"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_dnat_policy line=5293 msg="matched policy-4, act=accept, vip=4, flag=104, sflag=2000000"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-4, ret-matched, act-accept, flag-00000104"
2023-07-05 08:11:08 id=20085 trace_id=237 func=fw_pre_route_handler line=181 msg="VIP-10.128.0.4:1, outdev-unknown"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__ip_session_run_tuple line=3488 msg="DNAT 10.238.157.204:8->10.128.0.4:1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=rpdb_srv_match_input line=1038 msg="Match policy routing id=2136277011: to 10.128.0.4 via ifindex-36"
2023-07-05 08:11:08 id=20085 trace_id=237 func=vf_ip_route_input_common line=2606 msg="find a route: flag=04000000 gw-93.39.202.27 via AxIt_1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_check line=785 msg="in-[PROJECT], out-[AxIt_1], skb_flags-020000c0, vid-4, app_id: 0, url_cat_id: 0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=4"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-81, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-50, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-64, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2243 msg="policy-0 is matched, act-drop"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_check line=822 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_auth_check line=841 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=fw_forward_handler line=719 msg="Denied by forward policy check (policy 0)"
AxIt_1 is a SD-WAN zone member.
If I set up a static route for the real destination IP with the VPN tunnel as gateway, it works:
2023-07-05 08:13:47 id=20085 trace_id=238 func=print_pkt_detail line=5851 msg="vd-root:0 received a packet(proto=1, 10.238.157.3:1->10.238.157.204:2048) tun_id=0.0.0.0 from PROJECT. type=8, code=0, id=1, seq=3272."
2023-07-05 08:13:47 id=20085 trace_id=238 func=init_ip_session_common line=6023 msg="allocate a new session-0014020a, tun_id=0.0.0.0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_check line=5337 msg="in-[PROJECT], out-[]"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_tree_check line=827 msg="len=1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-100000 policy-4"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1225 msg="find DNAT: IP-10.128.0.4, port-0(fixed port)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_dnat_policy line=5293 msg="matched policy-4, act=accept, vip=4, flag=104, sflag=2000000"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-4, ret-matched, act-accept, flag-00000104"
2023-07-05 08:13:47 id=20085 trace_id=238 func=fw_pre_route_handler line=181 msg="VIP-10.128.0.4:1, outdev-unknown"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__ip_session_run_tuple line=3488 msg="DNAT 10.238.157.204:8->10.128.0.4:1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=vf_ip_route_input_common line=2606 msg="find a route: flag=04000000 gw-83.149.159.244 via VPN_CUSTOMER"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_check line=785 msg="in-[PROJECT], out-[VPN_CUSTOMER], skb_flags-020000c0, vid-4, app_id: 0, url_cat_id: 0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=6"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-47, ret-matched, act-accept"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1179 msg="find SNAT: IP-172.31.100.3(from IPPOOL:SNAT-CLIENT)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_policy line=2243 msg="policy-47 is matched, act-accept"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_check line=822 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-47"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_auth_check line=841 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-47"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_reverse_dnat_check line=1302 msg="in-[PROJECT], out-[VPN_CUSTOMER], skb_flags-020000c0, vid-4"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_reverse_dnat_tree_check line=919 msg="len=1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_reverse_dnat_policy line=1243 msg="checking gnum-100002 policy-4294967295"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1225 msg="find DNAT: IP-172.31.100.3, port-0(fixed port)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_reverse_dnat_policy line=1256 msg="new-ip=172.31.100.3, new-port=0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=fw_forward_handler line=885 msg="Allowed by Policy-47: SNAT"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__ip_session_run_tuple line=3474 msg="SNAT 10.238.157.3->172.31.100.3:1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VPN_CUSTOMER, tun_id=0.0.0.0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VPN_CUSTOMER"
2023-07-05 08:13:47 id=20085 trace_id=238 func=esp_output4 line=844 msg="IPsec encrypt/auth"
2023-07-05 08:13:47 id=20085 trace_id=238 func=ipsec_output_finish line=546 msg="send to 192.168.1.1 via intf-wan2"
But putting the real network in my routing table voids the purpose of the DNAT.
What's wrong with my configuration? Thanks in advance for any suggestion.
Bye,
Dario
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Anthony,
I was going to comment on my own post because I was on a wrong path from the beginning.
The dnat is following the route to the real destination address as it should, it's not meant to hide the real addresses from the fortigate. To do what I want, the DNATs should be configured on the other side of the tunnel. Another solution, the one that I adopted, was moving the tunnel and the dnats to a different fortigate that doesn't need to connect to the overlapping networks on my side.
Thanks anyway for taking interest in my post.
Bye
Dario
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Dario,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Anthony,
I was going to comment on my own post because I was on a wrong path from the beginning.
The dnat is following the route to the real destination address as it should, it's not meant to hide the real addresses from the fortigate. To do what I want, the DNATs should be configured on the other side of the tunnel. Another solution, the one that I adopted, was moving the tunnel and the dnats to a different fortigate that doesn't need to connect to the overlapping networks on my side.
Thanks anyway for taking interest in my post.
Bye
Dario
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dario :)!
I m glad to read it :)!
Hope to read you soon :)!
Anthony-Fortinet Community Team.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,686 -
FortiClient
1,758 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
430 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
244 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1710 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.