Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marypoppins
New Contributor II

dnat without vip

Dear All,

 

 

Is there any way to use dnat without a vip? I have the following situation:

clients pc  --- fortigate ---- other device ---  192.168.5.5

                                                                 |_  192.168.6.6

I would like to achieve:

a) - A client with ip 10.10.10.10 if want to go to dst:192.168.5.5 then it dnat-ed to dst:192.168.6.6.

b) -while other clients if want to go to dst:192.168.5.5 then no-nat-ed, so dst:192.168.5.5 is unchanged and simply forward to the dst.

 

My problem is that the 'external ip' is not on fortigate, and when I create a DNAT & Virtual IP with:

External IP address/range : 192.168.5.5

Mapped IP address/range : 192.168.6.6

Optional filter / Source address : 10.10.10.10

Then a) seems to work, there is dnat-ed outgoing packets and replies, but b) doesn't work, and the diag flow shows:

"iprope_in_check() check failed on policy 0, drop", as I think fortigate knows 192.168.5.5 is local address because of vip.

So is there a way using only dnat without local vip, or do you have any idea how to solve this problem?

Ps: the network is a little bit complicated than this, there are more "clients" and those have config with fix destination servers, so this way I would like to send some "clients" to another server.

 

Than you for reading me

1 Solution
Toshi_Esumi
SuperUser
SuperUser

I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298

View solution in original post

6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298

Kangming

B) Should access DST 192.168.6.6 

 

dst:192.168.5.5 cannot exist in two places.

Thanks

Kangming

Toshi_Esumi

You should open a ticket at TAC if a KB doesn't work.

marypoppins

Thank you for answering me. However in my case the load balancing is unnecessary. But you helped me a lot, because I finally i saw your link a line, which is the solution:

set arp-reply disable

 

Thank you

ede_pfau

Thank you for that excellent observation, easily to be overlooked. Of course, responding to arp in this case, from 2 different hosts, will lead to confusion.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
marypoppins

There is no two host with the same ip address in this scenario. There is a router/fw which forward the packets, and if the dst address is the host with ipA for a packet then it forwards that packet to an other destination. With other words the external ip is not on the fortigate. That is all.

 

Thank you

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors