Hi guys,
I'm having an issue with a snat+dnat configuration to an ipsec tunnell on a Fortigate with SD-WAN enabled. Let me explain... that's what I have:
the goal is to snat my host 10.238.157.3 as 172.31.100.3 when communicating with a custiomer's host that has a real ip of 10.128.0.4 without having that particular destination in my routing table so I need also to dnat it as 10.238.157.204.
This configuration I made will not work. Here's a debug flow of what happens:
diagnose debug flow filter daddr 10.238.157.204
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug console timestamp enable
diag debug flow trace start 999
diag debug enable
2023-07-05 08:11:08 id=20085 trace_id=237 func=print_pkt_detail line=5851 msg="vd-root:0 received a packet(proto=1, 10.238.157.3:1->10.238.157.204:2048) tun_id=0.0.0.0 from PROJECT. type=8, code=0, id=1, seq=3271."
2023-07-05 08:11:08 id=20085 trace_id=237 func=init_ip_session_common line=6023 msg="allocate a new session-0013ff16, tun_id=0.0.0.0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_check line=5337 msg="in-[PROJECT], out-[]"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_tree_check line=827 msg="len=1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-100000 policy-4"
2023-07-05 08:11:08 id=20085 trace_id=237 func=get_new_addr line=1225 msg="find DNAT: IP-10.128.0.4, port-0(fixed port)"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_dnat_policy line=5293 msg="matched policy-4, act=accept, vip=4, flag=104, sflag=2000000"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-4, ret-matched, act-accept, flag-00000104"
2023-07-05 08:11:08 id=20085 trace_id=237 func=fw_pre_route_handler line=181 msg="VIP-10.128.0.4:1, outdev-unknown"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__ip_session_run_tuple line=3488 msg="DNAT 10.238.157.204:8->10.128.0.4:1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=rpdb_srv_match_input line=1038 msg="Match policy routing id=2136277011: to 10.128.0.4 via ifindex-36"
2023-07-05 08:11:08 id=20085 trace_id=237 func=vf_ip_route_input_common line=2606 msg="find a route: flag=04000000 gw-93.39.202.27 via AxIt_1"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_check line=785 msg="in-[PROJECT], out-[AxIt_1], skb_flags-020000c0, vid-4, app_id: 0, url_cat_id: 0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=4"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-81, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-50, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-64, ret-no-match, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2023-07-05 08:11:08 id=20085 trace_id=237 func=__iprope_check_one_policy line=2243 msg="policy-0 is matched, act-drop"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_check line=822 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=iprope_fwd_auth_check line=841 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2023-07-05 08:11:08 id=20085 trace_id=237 func=fw_forward_handler line=719 msg="Denied by forward policy check (policy 0)"
AxIt_1 is a SD-WAN zone member.
If I set up a static route for the real destination IP with the VPN tunnel as gateway, it works:
2023-07-05 08:13:47 id=20085 trace_id=238 func=print_pkt_detail line=5851 msg="vd-root:0 received a packet(proto=1, 10.238.157.3:1->10.238.157.204:2048) tun_id=0.0.0.0 from PROJECT. type=8, code=0, id=1, seq=3272."
2023-07-05 08:13:47 id=20085 trace_id=238 func=init_ip_session_common line=6023 msg="allocate a new session-0014020a, tun_id=0.0.0.0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_check line=5337 msg="in-[PROJECT], out-[]"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_tree_check line=827 msg="len=1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-100000 policy-4"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1225 msg="find DNAT: IP-10.128.0.4, port-0(fixed port)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_dnat_policy line=5293 msg="matched policy-4, act=accept, vip=4, flag=104, sflag=2000000"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-4, ret-matched, act-accept, flag-00000104"
2023-07-05 08:13:47 id=20085 trace_id=238 func=fw_pre_route_handler line=181 msg="VIP-10.128.0.4:1, outdev-unknown"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__ip_session_run_tuple line=3488 msg="DNAT 10.238.157.204:8->10.128.0.4:1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=vf_ip_route_input_common line=2606 msg="find a route: flag=04000000 gw-83.149.159.244 via VPN_CUSTOMER"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_check line=785 msg="in-[PROJECT], out-[VPN_CUSTOMER], skb_flags-020000c0, vid-4, app_id: 0, url_cat_id: 0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=6"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-47, ret-matched, act-accept"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1179 msg="find SNAT: IP-172.31.100.3(from IPPOOL:SNAT-CLIENT)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_policy line=2243 msg="policy-47 is matched, act-accept"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_check line=822 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-47"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_fwd_auth_check line=841 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-47"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_reverse_dnat_check line=1302 msg="in-[PROJECT], out-[VPN_CUSTOMER], skb_flags-020000c0, vid-4"
2023-07-05 08:13:47 id=20085 trace_id=238 func=iprope_reverse_dnat_tree_check line=919 msg="len=1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_reverse_dnat_policy line=1243 msg="checking gnum-100002 policy-4294967295"
2023-07-05 08:13:47 id=20085 trace_id=238 func=get_new_addr line=1225 msg="find DNAT: IP-172.31.100.3, port-0(fixed port)"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__iprope_check_one_reverse_dnat_policy line=1256 msg="new-ip=172.31.100.3, new-port=0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=fw_forward_handler line=885 msg="Allowed by Policy-47: SNAT"
2023-07-05 08:13:47 id=20085 trace_id=238 func=__ip_session_run_tuple line=3474 msg="SNAT 10.238.157.3->172.31.100.3:1"
2023-07-05 08:13:47 id=20085 trace_id=238 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VPN_CUSTOMER, tun_id=0.0.0.0"
2023-07-05 08:13:47 id=20085 trace_id=238 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VPN_CUSTOMER"
2023-07-05 08:13:47 id=20085 trace_id=238 func=esp_output4 line=844 msg="IPsec encrypt/auth"
2023-07-05 08:13:47 id=20085 trace_id=238 func=ipsec_output_finish line=546 msg="send to 192.168.1.1 via intf-wan2"
But putting the real network in my routing table voids the purpose of the DNAT.
What's wrong with my configuration? Thanks in advance for any suggestion.
Bye,
Dario
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Anthony,
I was going to comment on my own post because I was on a wrong path from the beginning.
The dnat is following the route to the real destination address as it should, it's not meant to hide the real addresses from the fortigate. To do what I want, the DNATs should be configured on the other side of the tunnel. Another solution, the one that I adopted, was moving the tunnel and the dnats to a different fortigate that doesn't need to connect to the overlapping networks on my side.
Thanks anyway for taking interest in my post.
Bye
Dario
Hello Dario,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi Anthony,
I was going to comment on my own post because I was on a wrong path from the beginning.
The dnat is following the route to the real destination address as it should, it's not meant to hide the real addresses from the fortigate. To do what I want, the DNATs should be configured on the other side of the tunnel. Another solution, the one that I adopted, was moving the tunnel and the dnats to a different fortigate that doesn't need to connect to the overlapping networks on my side.
Thanks anyway for taking interest in my post.
Bye
Dario
Hi Dario :)!
I m glad to read it :)!
Hope to read you soon :)!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.