Purpose
On the FortiGate unit, a VIP can be created for port translation only: both the External IP and Mapped IP use the same value, which is that of an internal server.
In the example that follows the External TCP port 443 is Mapped to TCP port 22.
Scope
FortiGate VDOM and NAT mode.
Diagram
--external vip 172.31.224.197 (ext tcp port 443)
||
port1
||
[ FORTIGATE ]
||
port2
||
--mapped ip 172.31.224.197 (mapped tcp port 22)
||
Internal Server
Expectations, Requirements
A server on port2 of the FortiGate unit uses IP 172.31.224.197 and listens on TCP port 22.
A VIP is created with this same IP value on External (port1) and Mapped IP (port2), but for port translation only, changing requests on TCP port 443 to 22.
Configuration
FortiOS firmware version 5.0.x:
show firewall vip
config firewall vip
edit "vip-test"
set arp-reply disable
set extip 172.31.224.197
set extintf "port1"
set portforward enable
set mappedip 172.31.224.197
set extport 443
set mappedport 22
next
end
config firewall policy
edit 3
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "vip-test"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
FortiOS firmware version 4.0 MR3:
in
config firewall policy
set service "ALL"
must be replaced by
set service "ANY"
Firmware versions prior to 4.0 MR3:
in
config firewall policy
set srcaddr "all"
must also be replaced by
set srcaddr "any"
Verification
n/a
Troubleshooting
1) In case of issues, you can use the "debug flow" command to check whether the traffic flows through the Firewall Policy.
id=20085 trace_id=22 msg="vd-root received a packet(proto=6, 192.168.183.120:1189->172.31.224.197:443) from port1."
id=20085 trace_id=22 msg="allocate a new session-000000d9"
id=20085 trace_id=22 msg="find SNAT: IP-172.31.224.197(from IPPOOL), port-22"
id=20085 trace_id=22 msg="VIP-172.31.224.197:22, outdev-port1"
id=20085 trace_id=22 msg="DNAT 172.31.224.197:443->172.31.224.197:22"
2) If you see the below message in your debug flow trace.
id=20085 trace_id=22 msg="iprope_in_check() check failed, drop"
Please ensure you have configured the following parameter on the VIP:
config firewall vip
edit vip-test
set arp-reply disable
next
end
Related Articles
Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...