FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 192844
Description
This article provides information about VIP traffic’s DNAT and SNAT when source and mapped IP are connected in the same network.

Solution
In this scenario, both PC and server are behind FortiGate connected to network 172.31.128.0 /24 via PORT4.
PC(172.31.128.2) wants to connect to the server by pointing to its external address (1.1.1.1) instead of its real one (172.31.128.20).





FortiGate is connected LAN network 172.31.128.0 /24 via PORT4.
FortiGate is configured with VIP with external IP as 1.1.1.1 mapped to internal server 172.31.128.20.
# config firewall vip
    edit "test"
        set uuid f1a6b83e-f27c-51eb-aa4a-b6c947c7530a
        set extip 1.1.1.1
        set extintf "any"
        set mappedip "172.31.128.20"
    next
end
To allow this traffic from PC to server using mapped IP, PORT4 to PORT4 policy  has to be configured.

PORT4 to PORT4 policy to allow the reverse traffic.
    edit 4  
        set name "test2"
        set uuid 80d69150-f27d-51eb-aedc-5af165624624
        set srcintf "port4"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "test"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
Note.
SNAT is not enabled in the policy.

PC 72.31.128.2 trying to ping the server using VIP external ip 1.1.1.1.

1) Traffic will be received on PORT4 and verified.
2) Destination IP matches VIP external IP which Triggers DNAT. Destination IP is changed from 1.1.1.1 to 172.31.128.20.
3) Policy 4 will match since source of the traffic mapped IP are connected via same interface.
4) Since both source ANF destination are in same network, FortiGate will apply SNAT to the traffic.
5) With this, reply traffic from server is not directly sent to PC instead it will come to FortiGate. FortiGate will send the reply packet to PC 172.31.128.2 with source as 1.1.1.1

ICMP traffic PC to server.
aegon-kvm39 # id=20085 trace_id=415 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=1, 172.31.128.2:1->1.1.1.1:2048) from port4. type=8, code=0, id=1, seq=33."
id=20085 trace_id=415 func=init_ip_session_common line=5788 msg="allocate a new session-00081764"
id=20085 trace_id=415 func=fw_pre_route_handler line=181 msg="VIP-172.31.128.20:1, outdev-unknown"
id=20085 trace_id=415 func=__ip_session_run_tuple line=3410 msg="DNAT 1.1.1.1:8->172.31.128.20:1"
id=20085 trace_id=415 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-172.31.128.20 via port4"
id=20085 trace_id=415 func=fw_forward_handler line=771 msg="Allowed by Policy-4: SNAT"
id=20085 trace_id=415 func=__ip_session_run_tuple line=3396 msg="SNAT 172.31.128.2->172.31.128.1:60417"

Ping reply from server.

id=20085 trace_id=416 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=1, 172.31.128.20:60417->172.31.128.1:0) from port4. type=0, code=0, id=60417, seq=33."
id=20085 trace_id=416 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00081764, reply direction"
id=20085 trace_id=416 func=__ip_session_run_tuple line=3410 msg="DNAT 172.31.128.1:0->172.31.128.2:1"
id=20085 trace_id=416 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-172.31.128.2 via port4"
id=20085 trace_id=416 func=npu_handle_session44 line=1142 msg="Trying to offloading session from port4 to port4, skb.npu_flag=00000000 ses.state=00000200 ses.npu_state=0x00040000"
id=20085 trace_id=416 func=fw_forward_dirty_handler line=399 msg="state=00000200, state2=00000000, npu_state=00040000"
id=20085 trace_id=416 func=__ip_session_run_tuple line=3396 msg="SNAT 172.31.128.20->1.1.1.1:1"
Packet Flow.
2021-08-01 06:57:07.525936 port4 in 172.31.131.2 -> 1.1.1.1: icmp: echo request
2021-08-01 06:57:07.529835 port4 out 172.31.128.1 -> 172.31.128.20: icmp: echo request
2021-08-01 06:57:07.530431 port4 in 172.31.128.20 -> 172.31.128.1: icmp: echo reply
2021-08-01 06:57:07.531657 port4 out 1.1.1.1 -> 172.31.131.2: icmp: echo reply

Related Articles

Technical Tip: How to disable source NAT to enable a hairpin policy or one-arm firewall

Contributors