Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiTester
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- dnat without vip
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dnat without vip
Dear All,
Is there any way to use dnat without a vip? I have the following situation:
clients pc --- fortigate ---- other device --- 192.168.5.5
|_ 192.168.6.6
I would like to achieve:
a) - A client with ip 10.10.10.10 if want to go to dst:192.168.5.5 then it dnat-ed to dst:192.168.6.6.
b) -while other clients if want to go to dst:192.168.5.5 then no-nat-ed, so dst:192.168.5.5 is unchanged and simply forward to the dst.
My problem is that the 'external ip' is not on fortigate, and when I create a DNAT & Virtual IP with:
External IP address/range : 192.168.5.5
Mapped IP address/range : 192.168.6.6
Optional filter / Source address : 10.10.10.10
Then a) seems to work, there is dnat-ed outgoing packets and replies, but b) doesn't work, and the diag flow shows:
"iprope_in_check() check failed on policy 0, drop", as I think fortigate knows 192.168.5.5 is local address because of vip.
So is there a way using only dnat without local vip, or do you have any idea how to solve this problem?
Ps: the network is a little bit complicated than this, there are more "clients" and those have config with fix destination servers, so this way I would like to send some "clients" to another server.
Than you for reading me
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
B) Should access DST 192.168.6.6
dst:192.168.5.5 cannot exist in two places.
Thanks
Kangming
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should open a ticket at TAC if a KB doesn't work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for answering me. However in my case the load balancing is unnecessary. But you helped me a lot, because I finally i saw your link a line, which is the solution:
set arp-reply disable
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for that excellent observation, easily to be overlooked. Of course, responding to arp in this case, from 2 different hosts, will lead to confusion.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no two host with the same ip address in this scenario. There is a router/fw which forward the packets, and if the dst address is the host with ipA for a packet then it forwards that packet to an other destination. With other words the external ip is not on the fortigate. That is all.
Thank you
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- How Involved DNAT & VIP configuration... 29 Views
- Using DNAT and SNAT simultaneously. 243 Views
- Unable to route public IP into... 181 Views
- What might be the cause of... 576 Views
- Failover routing to APN 371 Views
Labels
-
Fortigate
7,446 -
FortiClient
1,469 -
5.2
801 -
5.4
639 -
FortiManager
637 -
FortiAnalyzer
484 -
6.0
416 -
FortiSwitch
387 -
FortiAP
386 -
5.6
362 -
FortiClient EMS
312 -
FortiMail
287 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
181 -
FortiNAC
134 -
SSL-VPN
129 -
6.4
128 -
IPsec
124 -
FortiGuard
121 -
FortiGateCloud
97 -
FortiCloud Products
93 -
FortiSIEM
92 -
FortiToken
80 -
Customer Service
72 -
Wireless Controller
68 -
SD-WAN
65 -
4.0MR3
64 -
FortiProxy
52 -
FortiEDR
47 -
Fortivoice
46 -
FortiADC
46 -
FortiDNS
43 -
FortiAuthenticator
43 -
Firewall policy
40 -
FortiSandbox
38 -
VLAN
38 -
FortiExtender
37 -
FortiGate v5.4
36 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
28 -
BGP
27 -
LDAP
27 -
FortiConnect
26 -
ZTNA
26 -
FortiGate v5.2
24 -
FortiWAN
24 -
FortiConverter
23 -
SAML
22 -
Interface
22 -
Authentication
21 -
Routing
21 -
Certificate
21 -
FortiSwitch v6.2
20 -
FortiLink
19 -
NAT
19 -
FortiPortal
18 -
VDOM
18 -
RADIUS
16 -
Logging
16 -
FortiMonitor
16 -
Virtual IP
16 -
Web profile
16 -
FortiGate v5.0
15 -
SSL SSH inspection
15 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Application control
14 -
Traffic shaping
13 -
FortiManager v5.0
12 -
FortiCASB
12 -
SSO
12 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SSID
10 -
Static route
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
SNMP
9 -
RMA Information and Announcements
9 -
OSPF
9 -
FortiAP profile
9 -
WAN optimization
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
Admin
8 -
Security profile
8 -
Proxy policy
8 -
Web application firewall profile
8 -
4.0
7 -
FortiCache
7 -
Automation
7 -
trunk
6 -
IPS signature
6 -
Antivirus profile
6 -
Traffic shaping policy
6 -
System settings
6 -
FortiCarrier
5 -
FortiDirector
5 -
DNS Filter
5 -
Packet capture
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
Intrusion prevention
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiPAM
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
DoS policy
4 -
Web rating
4 -
FortiInsight
3 -
FortiDB
3 -
FortiCWP
3 -
FortiToken Cloud
3 -
FortiHypervisor
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
Email filter profile
3 -
Fabric connector
3 -
File filter
3 -
Multicast routing
3 -
FortiAI
2 -
FortiNDR
2 -
Internet Service Database
2 -
Netflow
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
VoIP profile
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
Kerberos
1 -
RIP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1238 | |
| 932 | |
| 674 | |
| 441 | |
| 176 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.