Hello Fellows,
I hit a dns related problem in a setup involving l2l vpn with dnat (vip). I have not been able to use servers' fqdns thus far due to the following dns behavior:
[ul]The goal is to have dns replies modified only for clients behind the vpn interface.
Judging by https://itzecurity.blogspot.dk/2013/07/dns-translation.html I am not the only one to have hit this issue.
Any follow-up will be much appreciated.
The test setup (involving one server only) whose scope of clients proved to be excessive:
config firewall dnstranslation
edit 1
set src 10.50.1.213
set dst 10.50.10.213
next
end
My conclusion is that unlike expected with this setup, FG is not able to associate the dnstranslation range with the existing vip range and thus with the only interface this vip was bound to.
Below are interesting excerpts of my setup.
config firewall vip
edit "vip_10.50.10.x_10.50.1.x"
set extip 10.50.10.1-10.50.10.254
set extintf "148_peer1_p1"
set srcintf-filter "148_peer1_p1"
set mappedip "10.50.1.1-10.50.1.254"
next
end
config vpn ipsec phase1-interface
edit "148_peer1_p1"
set interface "148.inet"
[...]
next
end
config vpn ipsec phase2-interface
edit "148_peer1_p2"
set phase1name "148_peer1_p1"
[...]
set src-subnet 10.50.10.0 255.255.255.0
set dst-subnet 172.16.39.64 255.255.255.224
next
end
config firewall policy
edit 26
set srcintf "148_peer1_p1"
set dstintf "trust"
set srcaddr "172.16.39.74"
set dstaddr "VIP_10.50.10.x_10.50.1.x"
set action accept
set schedule "always"
set service "ALL"
next
edit 28
set srcintf "trust"
set dstintf "148_peer1_p1"
set srcaddr "10.50.1.0-24"
set dstaddr "172.16.39.74"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
--
Best regards,
RafalS
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.