There are 2 sorts of NAT: 1. destination NAT - the destination address is substituted in FortiOS this is realised via VIP 2. source NAT - the source address is substituted in FortiOS, if you check " NAT" in the policy, source address is exchanged for the address of the egress interface if you check " dynamic NAT" and specify an IP pool, then addresses from the pool are used instead of the interface address. The symptoms you gave indicate that you are using source NAT. Public access to an internal server via VIP works without source NAT. So if you cannot reach your servers anymore after disabling (source) NAT then your setup is incorrect. - to which interface does your default route point to? - how do you check that a server is accessible? ping doesn' t work if you port-forward!

OK i must have this configured wrong then. Default route I am not sure about. I have 3 interfaces: Global with static route gateway02 Management with static route gateway01 Private with no gateway I have a VIP (59.222.94.5) that is mapped to a server with the private IP (172.18.0.67). It is a one to one mapping. (static NAT) My policy is attached as a screenshot. I test by trying to ssh into the server.

Disable the enable NAT check box and you should be fine. With VIPs you don' t need to enable NAT.

If I do that I can no longer access the server via ssh or anything else. Thats my issue here. Here is my VIP settings

You haven' t answered my question yet: which routes do you have installed, esp. for the private LAN? -> Routing Monitor

Sorry, I didn' t know how to answer. Thanks for the tip. Here are my routes.

OK, imagine you are a packet from an arbitrary address coming in on port2, destination 59.22.94.5 which is your server. The FGT translates your destination IP address to 172.18.0.67 and forwards you to port3 where the server is found using ARP. All of this WITHOUT checking the NAT box in the policy, as it should be. Now, the server responds. Destination address now is some address on the internet. First, the server looks up it' s own routing table where hopefully it finds 172.18.0.1, the port3 address of the FGT, as the default gateway. IF THIS IS NOT THE CASE any return traffic must fail! Now you (the reply packet) reach the FGT on port3. Looking into the routing table, this address is matched by 2 routes: one to port1, one to port2. Which one to take?? Depending on the server' s address, being either odd or even, port1 or port2 will be chosen. So depending on the server' s address you are forwarded to the wrong port and discarded. From the outside it looks like the packet has never reached the server but that' s not true. So, do the following: - clarify which port leads to the internet - create one default route to this port - if you cannot reach any host on the port1 subnet anymore, the routing there is wrong - you should be able to ping your server from the internet now