Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

using virtual IP to forward DNS traffic from IPsec VPN to a private subnet

Hi Forum,


i have trouble granting access to my DNS-Server to a customer who is connected via IPsec.


My Setup: Customer sNAT. All traffic from my customer has this source. Loopback Interface as VPN NAT-Network VLAN-Interface for internal Services


We have a working VPN Connection with these Phase2 entrys: <=>


My first try was a VIP with Portforwarding like this: =>


Of cause I added a policy for this:

source interface: IPsec Customer

destination interface: Internal Services


destination: VIP

service: DNS

NAT: disabled


But this doesn't work. Next try was a virtual server. Also not working... Is it "wrong" to use a Transfer-Network on a loopback device?


If you need more information please ask. Thank you and best regards!

Valued Contributor III

Personally, i'm not a fan of 'any'. I would much rather prefer a VIP destination group with port forwarding to the same port allowed.


My two cents.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:

Top Kudoed Authors