Technical Tip: NAT hairpin configuration with all traffic being source Natted with the VIP of the server (public IP)

tgirard · ‎09-20-2023

Description

This article provides a specific configuration to have both hairpin traffic and internet traffic SNATed with the same source address of the server VIP on the external FortiGate interface.

Scope

FortiGate.

Solution

Internal servers (PC1:172.17.11.1 and PC2:172.17.11.2) are DNATed and reachable through VIPs configured on the external interface of the FortiGate (toPC1:10.100.1.11, toPC2:10.100.1.12).

Network topology:

internal subnet --172.17.11.0/24 ---port1(.254) FGT port2(.1) ---- 10.100.1.x ---- external subnet

Version: FortiGate-VM64-KVM v7.2.0,build1157,220331 (GA.F)
IP=172.17.11.254->172.17.11.254/255.255.255.0 index=3 devname=port1 (internal subnet)
IP=10.100.1.1->10.100.1.1/255.255.255.0 index=4 devname=port2 (external subnet)

Configuration details:

config system settings
set central-nat enable
end

config firewall address
edit "PC1"
set subnet 172.17.11.1 255.255.255.255
next
edit "PC2"
set subnet 172.17.11.2 255.255.255.255
next
config firewall ippool
edit "pc1pool"
set type one-to-one
set startip 10.100.1.11
set endip 10.100.1.11
next
edit "pc2pool"
set type one-to-one
set startip 10.100.1.12
set endip 10.100.1.12
next
end
config firewall central-snat-map
edit 2
set srcintf "port1"
set dstintf "any"
set orig-addr "PC1"
set dst-addr "all"
set nat-ippool "pc1pool"
next
edit 3
set srcintf "port1"
set dstintf "any"
set orig-addr "PC2"
set dst-addr "all"
set nat-ippool "pc2pool"
next
end
config firewall VIP
edit "toPC1"
set extip 10.100.1.11
set mappedip "172.17.11.1"
set extintf "any"
next
edit "toPC2"
set extip 10.100.1.12
set mappedip "172.17.11.2"
set extintf "any"
next
end
config firewall policy
edit 3
set srcintf "any"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "PC2"
set schedule "always"
set service "ALL"
next
edit 4
set srcintf "any"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "PC1"
set schedule "always"
set service "ALL"
next
edit 5
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

Results:

Ping to PC2 (internal IP):

2023-09-20 05:59:37.411887 port1 in 172.17.11.1 -> 10.100.1.12: icmp: echo request
2023-09-20 05:59:37.412050 port1 out 10.100.1.11 -> 172.17.11.2: icmp: echo request
2023-09-20 05:59:37.426533 port1 in 172.17.11.2 -> 10.100.1.11: icmp: echo reply
2023-09-20 05:59:37.426594 port1 out 10.100.1.12 -> 172.17.11.1: icmp: echo reply

Ping to Default GW (external IP):

2023-09-20 05:59:41.410648 port1 in 172.17.11.1 -> 10.100.1.2: icmp: echo request
2023-09-20 05:59:41.412397 port2 out 10.100.1.11 -> 10.100.1.2: icmp: echo request
2023-09-20 05:59:41.414490 port2 in 10.100.1.2 -> 10.100.1.11: icmp: echo reply
2023-09-20 05:59:41.414519 port1 out 10.100.1.2 -> 172.17.11.1: icmp: echo reply

Session information for both pings :

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
icmp 35 172.17.11.1:141 10.100.1.11:141 10.100.1.2:8 -
icmp 38 172.17.11.1:142 10.100.1.11:142 10.100.1.12:8 172.17.11.2:142

session info: proto=1 proto_state=00 duration=8 expire=53 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=252/3/1 reply=252/3/1 tuples=2
tx speed(Bps/kbps): 30/0 rx speed(Bps/kbps): 30/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=10.100.1.2/172.17.11.1
hook=post dir=org act=snat 172.17.11.1:141->10.100.1.2:8(10.100.1.11:141)
hook=pre dir=reply act=dnat 10.100.1.2:141->10.100.1.11:0(172.17.11.1:141)
misc=0 policy_id=5 pol_uuid_idx=14735 auth_info=0 chk_client_info=0 vd=0
serial=00002b2b tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

session info: proto=1 proto_state=00 duration=4 expire=56 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=4
tx speed(Bps/kbps): 38/0 rx speed(Bps/kbps): 38/0
orgin->sink: org pre->post, reply pre->post dev=3->3/3->3 gwy=172.17.11.2/172.17.11.1
hook=pre dir=org act=dnat 172.17.11.1:142->10.100.1.12:8(172.17.11.2:142)
hook=post dir=org act=snat 172.17.11.1:142->172.17.11.2:8(10.100.1.11:142)
hook=pre dir=reply act=dnat 172.17.11.2:142->10.100.1.11:0(172.17.11.1:142)
hook=post dir=reply act=snat 172.17.11.2:142->172.17.11.1:0(10.100.1.12:142)
misc=0 policy_id=3 pol_uuid_idx=14733 auth_info=0 chk_client_info=0 vd=0
serial=00002b2d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off