Description
FortiOS v5.4 made several enhancements to the Central NAT table and Virtual IPs. When trying to enable Central NAT in FortiOS 5.4, users may receive the error message 'Cannot enable central-nat with firewall policy using vip'.
In addition, users will notice that Virtual IPs can no longer be selected in the firewall policies when Central NAT is enabled.
In addition, users will notice that Virtual IPs can no longer be selected in the firewall policies when Central NAT is enabled.
Scope
FortiGate/FortiOS 5.4.x
Solution
The message 'Cannot enable central-nat with firewall policy using vip' may be encountered when trying to enable Central NAT. This error message indicates that Central NAT cannot be enabled yet because virtual IPs have been created and referenced in firewall policies.
Before Central NAT can be enabled, it is necessary to delete the policies that contain the virtual IP objects or modify the policies so that they no longer reference the virtual IP.
Once all of the virtual IPs have 0 references, Central NAT can be enabled via the command line interface (CLI).
Now that Central NAT is enabled, there will be a Central SNAT table (source IP address translation) and a DNAT & Virtual IPs table (destination IP address translation).
It is necessary to log out and log back in to the web GUI to see these changes.
The DNAT & Virtual IPs table affects every policy on the FortiGate, without the need to specifically reference a virtual IP in the policy itself.
If VDOMs are enabled, the SNAT and DNAT tables affect all policies per-VDOM, not globally.
Since the tables affect all policies, it is no longer is necessary to explicitly choose the virtual IP object as a destination address object in the firewall policy for DNAT to be performed. Instead, the policy only needs to reference the virtual IP’s internal address (specifically, the 'Mapped IP Address') as a destination address object. See example below for further clarification.
Virtual IPs Before Enabling Central NAT:
Firewall Policy Before Enabling Central NAT:
DNAT & Virtual IPs After Enabling Central NAT:
Firewall Policy After Enabling Central NAT:
Before Central NAT can be enabled, it is necessary to delete the policies that contain the virtual IP objects or modify the policies so that they no longer reference the virtual IP.
Once all of the virtual IPs have 0 references, Central NAT can be enabled via the command line interface (CLI).
config system settings
set central-nat enable
end
Now that Central NAT is enabled, there will be a Central SNAT table (source IP address translation) and a DNAT & Virtual IPs table (destination IP address translation).
It is necessary to log out and log back in to the web GUI to see these changes.
The DNAT & Virtual IPs table affects every policy on the FortiGate, without the need to specifically reference a virtual IP in the policy itself.
If VDOMs are enabled, the SNAT and DNAT tables affect all policies per-VDOM, not globally.
Since the tables affect all policies, it is no longer is necessary to explicitly choose the virtual IP object as a destination address object in the firewall policy for DNAT to be performed. Instead, the policy only needs to reference the virtual IP’s internal address (specifically, the 'Mapped IP Address') as a destination address object. See example below for further clarification.
Virtual IPs Before Enabling Central NAT:
Firewall Policy Before Enabling Central NAT:
DNAT & Virtual IPs After Enabling Central NAT:
Firewall Policy After Enabling Central NAT:
Related Articles
The Central NAT config did not get upgraded from 5.2 to 5.4. How do you configure this in 5.4?
