Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
georgeWong
New Contributor

VIP hairpin access

Hi , these days i am studing FGT, i am confused at this case-

The VIP is set extintf 'port10', but now 10.10.10.2 accesses 10.10.10.100 port 21, the packet is entering in port9, not in port10,can this activate the DNAT(VIP)?How the FGT works at this scene?

I searched many documents but no answer.  Thank you in advance!

georgeWong_0-1647918516860.pnggeorgeWong_1-1647918555943.png

 

georgeWong_2-1647918883660.png

 

13 REPLIES 13
ede_pfau
SuperUser
SuperUser

Is the VIP defined on the 'any' interface or on 'port10'?

The SNAT issue is interesting. Hard to tell if the config is missing from your post (VIP, policy)...do you use Central NAT?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Debbie_FTNT

Hey ede, George,

-> from the screenshot with configuration snippets, the VIP is configured with extintf port10, correct?
-> you have two policies, 2(from port10 to port9, with VIP as destination, no NAT) and 1(from port9 to port10, with NAT to interface IP enabled)?

 

Technically, traffic from internal host 10.10.10.2 to 202.106.1.100 (public IP of VIP) would initially match policy 1 (go from port9 to port10 and have NAT applied) and then immediately match policy 2 (VIP), right?

It looks to me a bit as if FortiGate is applying both policies at the same time (matching VIP based on policy 2, applying NAT based on policy 1).

For testing, can you turn off NAT in policy 1 and check if the 'SNAT' bit in debug goes away?

 

Your setup does mirror scenario 1 as outlined in the KB shared by Patterson:

https://community.fortinet.com/t5/Fortinet-Forum/VIP-hairpin-access/td-p/207277

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
georgeWong

Hi Debbie, settings were as you said. I think the Policy-2 SNAT is for traffic to Internet.

"traffic enters and leaves FortiGate via the same interface. This causes FortiOS to automatically perform SNAT, even if NAT is not configured in the firewall policy."--This automatically SNAT will be for the hairpin traffic I think.

georgeWong

Yes Ede, defined on port10. And I don't use Central NAT.  All the main settins were on the post.  Thank you.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors