Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sidp
New Contributor III

Weird behavior central SNAT / DNAT VIP

Since I come frome cisco, the way I have to configure NAT in Fortigate is new to me. I have a working configuration but some settings don't make sense to me...

 

public ip range: 1.2.3.32/27

Fortigate public ip: 1.2.3.36

dmz interface: 10.9.11.1/24

webserver: 10.9.11.254

 

My goal is a bidirectional nat for a webserver using the public ip 1.2.3.43. 

I found the following KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-S...

 

1. It doesn't matter which interface I use in vip config (extintf) the traffic works anyway no matter if it makes sense or not. Why is that and how should I do it the right way?

 

2. Configuring "set srcintf-filter dmz" as mentioned in the linked KB results in it not working anymore...

Even more confusing is the fact that this worked a few days ago and yes I did clear the nat cache multiple times in between (diagnose sys session clear).

 

For my understanding coming from cisco a destination nat should contain source interface (incoming traffic), source network, destination interface and destination network.

 

For testing purposes I deleted all other nat rules except the default SNAT for outgoing traffic. Currently the configuration looks like this. Incoming and outgoing traffic via the public ip 1.2.3.43 works with this but I'm afraid that this changes somehow when I go live with the firewalls as it already did earlier.

fortigate # sh firewall vip webserver
config firewall vip
edit "webserver"
set extip 1.2.3.43
set mappedip "10.9.11.254"
set extintf "port1"
set nat-source-vip enable
next
end

fortigate # sh firewall ippool SNAT_1.2.3.43
config firewall ippool
edit "SNAT_1.2.3.43"
set type one-to-one
set startip 1.2.3.43
set endip 1.2.3.43
next
end

fortigate # sh firewall central-snat-map
config firewall central-snat-map
edit 1
set srcintf "dmz_zone"
set dstintf "port1"
set orig-addr "SH_webserver-10.9.11.254"
set dst-addr "all"
set nat-ippool "SNAT_1.2.3.43"
next

 

4 REPLIES 4
gfleming
Staff
Staff

First quesiton: do you have a requirement to be using Central SNAT? Usually in FortiGate land it is easier to use policy NAT.

 

If you are using Central SNAT you have to treat your DNAT VIPs a bit differently. See here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/448790/central-dnat

 

I'm not 100% sure but in Central NAT i don't believe the VIP ext-intf has any bearing on the NAT functionality. It is used for policy applicaiton only.

Cheers,
Graham
sidp
New Contributor III

Hi Graham,

 

Our network partner and some fortigate engineers recommended us to enable central snat so we can more easily migrate our current cisco configuration. For our migration scripts we use the api. The configuration includes about 660 vpns, 140 nat and 800 policy rules, so we do it with api scripts.

 


I'm not 100% sure but in Central NAT i don't believe the VIP ext-intf has any bearing on the NAT functionality. It is used for policy applicaiton only.


That would explain a lot but can we somehow verify the assumption?

 

Best Regards,

Patrick

gfleming

OK in that case yes Central NAT makes sense.

 

Per the documentation, "ext-intf" setting on VIP is defined as "The external interface that the firewall policy source interface must match." So in this case under Central NAT where VIPs are not assigned to a firewall policy I think it's fair to say the ext-intf setting has no bearing.

 

Cheers,
Graham
sidp
New Contributor III

Thanks Graham.

The support ticket is still open, I will post the update here as soon as I get an answer.

Labels
Top Kudoed Authors