I have a VIP for the server SCMAAS01 (10.128.0.30) where external IP is 10.146.136.30 and internal is 10.128.0.30. This VIP is just used in a policy (id 49) from an IPsec tunnel. (VPN_2_ETA) to internal interface (SERVER) for all protocols.
For the other direction, I use an IP_POOL named NAT_SCMAAS01 where external IP range is 10.146.136.30-10.146.136.30 of type One-to-One. This object is only used in the policy (id 48) to internal interface (SERVER) from an IPsec tunnel. (VPN_2_ETA) for all protocols.
Now, this server (10.128.0.30) is unable to go to internet. a policy exist to allow the trafic but I saw in the log that SNAT is applied too... In the policy (id 50) to allow this server to go to internet, NAT is configured of course but we don't use the NAT_POOL but the outgoing interface (18.104.22.168).
Below the log.
SCMAFW01 # 2018-09-13 11:33:22 id=20085 trace_id=1503 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=6, 10.128.0.30:61013->22.214.171.124:53) from SERVERS. flag , seq 4119206949, ack 0, win 8192" 2018-09-13 11:33:22 id=20085 trace_id=1503 func=init_ip_session_common line=5451 msg="allocate a new session-005aed6c" 2018-09-13 11:33:22 id=20085 trace_id=1503 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-126.96.36.199 via wan1" 2018-09-13 11:33:22 id=20085 trace_id=1503 func=fw_forward_handler line=743 msg="Allowed by Policy-50: SNAT" 2018-09-13 11:33:22 id=20085 trace_id=1503 func=__ip_session_run_tuple line=3190 msg="SNAT 10.128.0.30->10.146.136.30:61013"
yes and I guess I found my problem: When using vip without Port Forwarding enabled, the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.
I need to specify port-forwarding first and probably the interface or the sources IP
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.