- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- bug? snat to wrong address?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bug? snat to wrong address?
Hello,
I am struggling with a difficult setup that we want to implement with a customer. FortiOS 5.0.9
This is topology
Router - Interf1(vlan3751)-Customer vdom-Interf2 -vdom link- Application vdom
Traffic flows from Router to Application vdom
We want incoming traffic in Customer vdom to be snatted to 172.16.23.101 and destination natted from 157.52.35.207 to 100.65.16.72. This 100.65.x.x address resides in the Application vdom.
I've put the following rule in place in Customer vdom:
source interface Interf1
source ip any (because any ip can enter this)
dest. interface Interf2
dest ip: vip (157.52.35.207 -> 100.65.16.72)
service ANY
Nat: yes, ip pool 172.16.23.101-172.16.23.101
Now we ping with source ip 10.1.1.20 to 157.52.35.207 and we expect the traffic to be snatted and dnatted so that the packet enters the Application vdom with source address 172.23.1.101 and destination address 100.65.16.72
However, a debug shows this:
id=25956 trace_id=106 msg="vd-Cust-3751 received a packet(proto=1, 10.1.1.20:1->157.52.35.207:8) from vlan3751. code=8, type=0, id=1, seq=715." id=25956 trace_id=106 msg="allocate a new session-00005556" id=25956 trace_id=106 msg="[style="background-color: #ffff00;"]find SNAT: IP-100.65.16.72(from IPPOOL), port-1[/style]" id=25956 trace_id=106 msg="VIP-100.65.16.72:1, outdev-vlan3751" id=25956 trace_id=106 msg="DNAT 157.52.35.207:8->100.65.16.72:1" id=25956 trace_id=106 msg="[style="background-color: #ffff00;"]reverse path check fail, drop"[/style] id=25956 trace_id=106 msg="trace"
Strange thing is the line find SNAT, since I've put a rule to snat to ip 172.16.23.101, see attachment
Anybody knows what goes wrong here?
Please note that the 157.x.x.x address doesn't have an associated interface, but that shouldn't matter. The vdom can listen to it as long as you configure a vip for it , for example. The Interf1 also doesn't have an ip address, shouldn't be needed as well (I think)
Routing is set up.
Thank you and regards,
Ralph
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming Intf1 has the default route assigned, it seems there is a more specific (static) route missing on Intf2, i.e. to 100.65.16.72/32, so that the FGT knows where to route the traffic to. From the trace it looks like the FGT wants to send it back to Intf1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not a bug but probably your not understand how a VIP works, the proper use of NAT and this part really is confusing
"Nat: yes, ip pool 172.16.23.101-172.16.23.101"
So you have traffic entering with a a SRC of "any" correct ?
You have a vip in the customer-vdom correct ?
Next, you have a route in customer vdom pointing to vip-mapped address { 100.65.16.72 } with this route pointed over the vdom-link, like wise in the vdom application, you have a route pointing outbound over the same link?
Curious, if you disable nat on the vip firewall policy, and move the ip pools to the application-vdom and install it on the "inbound" policy of that virtual-firewall, I bet you this would work out fine. So on fwpolicy ( customer vdom ) you drop the nat and src-nat pool .
And
In application-vdom you perform your SNAT
srcintf -name of vdomlink
dstintf - name of where ever the application interface
srcaddr - any
dstaddr - 100.65.16.72
nat - enable
ip pool - "172.16.23.101-172.16.23.101"
Is that clear ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Emnoc,
thank you for your advise. I moved the snat to the APP vdom, however same issues arise.
I have to find a way to get the traffic to travel passing the APP vdom manipulated and then reach the APPS environment. Please see drawing attached.
The Customer vdom has no ip addresses on its interfaces.
Interface (8) is in vlan 3751 and receives traffic from router. The traffic that enters is for example ip 10.1.1.20 , with destination 157.52.x.x
This traffic has to leave the APP vdom to APPS environment with source 172.23.1.101 and destination 100.65.16.x
When I move the dnat (from 157.52.x.x to 100.65.16.x) to the APP vdom, then the Customer vdom doesn't reply to (arp) packets for packets that enter Cust.vdom with dest.ip 157.52.x.x
So the Cust.vdom needs to listen to these addresses (though it doesn't have an interface(ip) in this subnet), then translate it to a 100.65.16.x address.
When I move the source natting from cust.vdom to APP vdom, the problem stays there. So now I configured:
On Cust. vdom: port 8 to the vlink with source all ; dest.interf vdom link, destination address: vip 157.52.35.207-> 100.65.16.72, service ANY
On APP vdom: source interf vdom link, source ip: all, dest.interface port 2(is the exit to the APP environment) dest. add 100.65.16.72. Nat enabled, ip pool 172.23.1.101-172.23.1.101
Routing in Cust vdom:
to 100.65.16.0 /24 via vdom link (to APP vdom)
default GW to 157.52.35.195 via interf.8 (which has no ip). Note that this address is in same range as where customer traffic connects to from outside cust.vdom into the cust.vdom.
Routing in App vdom:
route to 10.1.1.20 via vdom link (to Cust. vdom)
route to 100.65.16.0 /24 via port 2 (to apps environment)
this is what I receive:
id=0 trace_id=109 msg="vd-Cust-3751 received a packet(proto=1, 10.1.1.20:1->157.52.35.207:8) from vlan3751. code=8, type=0, id=1, seq=37392." id=0 trace_id=109 msg="allocate a new session-0002b55e" id=0 trace_id=109 msg="find SNAT: IP-100.65.16.72(from IPPOOL), port-1" id=0 trace_id=109 msg="VIP-100.65.16.72:1, outdev-vlan3751" id=0 trace_id=109 msg="DNAT 157.52.35.207:8->100.65.16.72:1" id=0 trace_id=109 msg="reverse path check fail, drop" id=0 trace_id=109 msg="trace"
What I find is strange is the SNAT ip 100.65.16.72 line, since I don't want to SNAT to this address and this address is only configured as DNAT address from the 157.52.x.x address
Is there a way that this can work, or do we have to assign addresses to e.g. port 8 to prevent that we receive reverse path failure messages?
Any help is appreciated!
Thanks,
Ralph
emnoc wrote:This is not a bug but probably your not understand how a VIP works, the proper use of NAT and this part really is confusing
"Nat: yes, ip pool 172.16.23.101-172.16.23.101"
So you have traffic entering with a a SRC of "any" correct ?
You have a vip in the customer-vdom correct ?
Next, you have a route in customer vdom pointing to vip-mapped address { 100.65.16.72 } with this route pointed over the vdom-link, like wise in the vdom application, you have a route pointing outbound over the same link?
Curious, if you disable nat on the vip firewall policy, and move the ip pools to the application-vdom and install it on the "inbound" policy of that virtual-firewall, I bet you this would work out fine. So on fwpolicy ( customer vdom ) you drop the nat and src-nat pool .
And
In application-vdom you perform your SNAT
srcintf -name of vdomlink
dstintf - name of where ever the application interface
srcaddr - any
dstaddr - 100.65.16.72
nat - enable
ip pool - "172.16.23.101-172.16.23.101"
Is that clear ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I have it working now. I assigned the customer vlan an ip address in the same subnet as the router and it appears that I can use ip addresses in the same address range of this subnet, on other vdoms, that is needed for the next customers.
Thanks ,
Ralph
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- What da heck is going on... 233 Views
- Problem with DLP on Fortigate 60E 250 Views
- FortiGate 7.4.4 VM IPv6 Prefix Delegation... 187 Views
- Basic EMAC-VLAN question 170 Views
- Packet loss through the Fortigate act-drop 195 Views
Labels
-
FortiGate
7,115 -
FortiClient
1,402 -
5.2
801 -
5.4
639 -
FortiManager
616 -
FortiAnalyzer
451 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
288 -
FortiMail
277 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
101 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
47 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
38 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
Routing
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
NAT
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
OSPF
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
FortiDeceptor
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
FortiDB
3 -
DLP sensor
3 -
DoS policy
3 -
Email filter profile
3 -
Fabric connector
2 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
DLP Dictionary
2 -
VoIP profile
2 -
DLP profile
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Internet Service Database
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1057 | |
| 874 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.