Dear All,
Is there any way to use dnat without a vip? I have the following situation:
clients pc --- fortigate ---- other device --- 192.168.5.5
|_ 192.168.6.6
I would like to achieve:
a) - A client with ip 10.10.10.10 if want to go to dst:192.168.5.5 then it dnat-ed to dst:192.168.6.6.
b) -while other clients if want to go to dst:192.168.5.5 then no-nat-ed, so dst:192.168.5.5 is unchanged and simply forward to the dst.
My problem is that the 'external ip' is not on fortigate, and when I create a DNAT & Virtual IP with:
External IP address/range : 192.168.5.5
Mapped IP address/range : 192.168.6.6
Optional filter / Source address : 10.10.10.10
Then a) seems to work, there is dnat-ed outgoing packets and replies, but b) doesn't work, and the diag flow shows:
"iprope_in_check() check failed on policy 0, drop", as I think fortigate knows 192.168.5.5 is local address because of vip.
So is there a way using only dnat without local vip, or do you have any idea how to solve this problem?
Ps: the network is a little bit complicated than this, there are more "clients" and those have config with fix destination servers, so this way I would like to send some "clients" to another server.
Than you for reading me
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298
I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298
B) Should access DST 192.168.6.6
dst:192.168.5.5 cannot exist in two places.
Thanks
Kangming
You should open a ticket at TAC if a KB doesn't work.
Thank you for answering me. However in my case the load balancing is unnecessary. But you helped me a lot, because I finally i saw your link a line, which is the solution:
set arp-reply disable
Thank you
Thank you for that excellent observation, easily to be overlooked. Of course, responding to arp in this case, from 2 different hosts, will lead to confusion.
There is no two host with the same ip address in this scenario. There is a router/fw which forward the packets, and if the dst address is the host with ipA for a packet then it forwards that packet to an other destination. With other words the external ip is not on the fortigate. That is all.
Thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.