Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
WalterW
New Contributor

VIP (DNAT) effect on SNAT behavior

Hi,

 

FortiOS 7.0.x. We have defined a VIP translating address external X.X.X.X -> internal Y.Y.Y.Y, like this:

 

config firewall vip
edit "vip_server_vpn"
set type static-nat
set extip X.X.X.X
set mappedip "Y.Y.Y.Y"
set extintf "any"
set portforward enable
set extport 1-65535
set mappedport 1-65535
next
end

 

We are using this VIP in multiple firewall policies with traffic coming in on different IPSEC tunnel interfaces.

 

It works as expected. Now we want to initiate outgoing connections from the internal server Y.Y.Y.Y -> Internet (0.0.0.0/0), in the related firewall policy we have enabled "NAT / Use outgoing interface address".

 

As we can see from traffic capture, the SNAT is performed using the external VIP address (X.X:X.X) and not the external interface IP. This behavior is unexpected. We would like to SNAT to the FGT external interface IP address.

 

I had a look here in the knowledge base and in the article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-S... it is stated:

 

"->When port-forwarding is disabled on the VIP and Source NAT with Outgoing Interface Address is enabled on Firewall Policy#1, Irrespective of the 'nat-source-vip' setting, traffic matching firewall policy #1 will be Source NAT'd with VIP's external IP address instead of the outgoing physical interface IP address."

 

OK, that is clear, but in our case we have the port-forwarding enabled. For this it is stated:

 

"-> When port-forwarding is enabled on the VIP, The 'nat-source-vip' setting must be enabled and VIP's external IP will be used for SNAT only when the source port of the HOST generated traffic falls in the port range configured for VIP."

 

My conclusion was, when port-forwarding is enabled on the VIP, and nat-source-vip is disabled, the SNAT would use the FGT interface IP and not the VIP external IP.

 

Is the exact behavior (for all possible cases) documented somehwere? Like in a table?

 

What would be the solution in our case? Would we end up in defining a specific VIP (even if the external vip ip is the same) for each specific IPSEC tunnel interface using a different "extintf <tunnel>" for each?

1 Solution
Sachin_Alex_Cherian_

Hi Walter,

 

Setting 'nat-source-vip' controls how the snat applies and is done in the following order:

 

1. reverse SNAT according to the VIP if nat-source-vip enabled; otherwise
2. ippool specified in the policy (lan to wan policy)
3. reverse SNAT according to the VIP if nat-source-vip is disable
4. ip of the outgoing interface

 

Keeping the above in mind, with port forwarding enabled if the server-initiated traffic matches the configured ports in the vip, only then the vip external IP would be used. If it does not match the vip ports configured in port-forwarding the interface IP would be used.
In your case, since the port forwarding is done for 1-65535, logic as per rule 3 mentioned above gets applied.

 

Having explained the above, I guess you have 2 options:
1) restrict the port forwarding to specific service ports, as Graham suggested earlier.
2) If the ports have to be wide open or the server initiates back traffic on the same port, you can use an ippool to override the vip while doing snat.

Hope the above explanation helps with your setup.

Regards,
Sachin.

View solution in original post

8 REPLIES 8
gfleming
Staff
Staff

The problem is you have defined the entire range of ports in your VIP so any outgoing traffic from the server will use one of those ports and so the VIP extip will be used in SNAT.

 

Can you narrow down the ports used in the VIP?

Cheers,
Graham
WalterW

Thanks for the suggestion. I see, as we are using Linux as the OS on the server side, we could - in respect of the Linux configured dynamic port range which is 32768-60999 by default - limit the port forwarding on the VIP to the lower ports, e.g. 1-32767. I will give this a try.

gfleming

May I ask why you need to forward all of those ports to the linux server? Surely it is not listening on all those ports?

Cheers,
Graham
WalterW

Hi Graham,

it is more a "convenience" thing:

  • We were starting with a "plain" vip without specifying port forwarding
  • Ran into the issue that it overrides even the "ippool" setting for outgoing SNAT
  • As workaround configured port-forwarding with full port range (this doesn't override the ippool, but overrides the "use interface ip" setting)

This is a setup on AWS, where we are using the Fortigate mainly as a VPN concentrator, not so much for packet filtering (this is done on AWS level).

Sachin_Alex_Cherian_

Hi Walter,

 

Setting 'nat-source-vip' controls how the snat applies and is done in the following order:

 

1. reverse SNAT according to the VIP if nat-source-vip enabled; otherwise
2. ippool specified in the policy (lan to wan policy)
3. reverse SNAT according to the VIP if nat-source-vip is disable
4. ip of the outgoing interface

 

Keeping the above in mind, with port forwarding enabled if the server-initiated traffic matches the configured ports in the vip, only then the vip external IP would be used. If it does not match the vip ports configured in port-forwarding the interface IP would be used.
In your case, since the port forwarding is done for 1-65535, logic as per rule 3 mentioned above gets applied.

 

Having explained the above, I guess you have 2 options:
1) restrict the port forwarding to specific service ports, as Graham suggested earlier.
2) If the ports have to be wide open or the server initiates back traffic on the same port, you can use an ippool to override the vip while doing snat.

Hope the above explanation helps with your setup.

Regards,
Sachin.
WalterW

Hi Sachin,

 

thanks, this clarified it. However we were seeing that it also makes a difference if you are using just a "vip" (which forwardis all ip) or a "vip with port-forwarding":

  • only vip even overrides the SNAT ippool for traffic originating from the internal ip going out
  • vip with port-forwarding has the above described behavior

 

is also the outgoing interface taken into account?

 

E.g. if I would specify a srcintf-filter in the VIP, I guess the SNAT to the external VIP ip would only be done if the traffic will leave that specific interface, right?

 

I would really appreciate if all this behavior could be turned off with a global config, so you have full manual control over the SNAT. There are just too many possibilities you have to think of, IMHO.

 

Regards

Walter

gfleming

You could consider looking at Central NAT. It might be more suitable for you:

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/421028/central-snat

Cheers,
Graham
Sachin_Alex_Cherian_

Hi Walter,

 

When VIP is configured with port forwarding, you need to consider whether it gets triggered or not. In your case, "vip" (which forwardis all ip) or a "vip with port-forwarding": ; effectively is the same because you mentioned 1-65535 ports range which makes it the same as not enabling the port-forwarding.

 

There is no global setting to disable this behaviour.

Regards,
Sachin.
Labels
Top Kudoed Authors