Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shaan129
New Contributor

Double_NAT

Dear All , Need your help , expertise on the below issue Server 1 is in LAN behind the Fortigate 60 FW both share ip address from the same subnet , GW for the server 1 is ip of the Fortigate . Fortigate is connected to a Cisco Router (handled by different vendor) & on its LAN there is a Server 2 whose gateway is one of the interface of the cisco router . Now i am trying to communicate Server 1 with Server 2 and vice versa but issue is server 1 before communicating or exiting the Fortigate interface should changed its ip address to a different ip address . Now i have done the test and i am able to ping to ping the server 2 from server 1 but when i do the same from server 2 to server ping not responding & traceroute reaches until ip of the Fortigate ip which is connected to the Cisco router and nothing after that . I have attached diagram for better understanding , kindly help with your inputs Regards shaan

Regards

Shaan

 

Regards Shaan
4 REPLIES 4
Dave_Hall
Honored Contributor

If the path of server 2 traffic is hitting the WAN port(s) of the Fortigate then you likely need to set up a VIP (port forward); if both LANs on each side of the fgt are connecting via an internal port, you may need to define a route to 192.168.255.254/32 directly.  However, I don't think this is actually needed.  I suggest checking the return firewall policy (from server2 to server1) - you will need two firewall rules for both directions of that fgt connection. Perhaps post a screenshot (san identifiable IP info) here.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
sw2090
Honored Contributor

are you sure the cisco does nat server2 back to the FortiGate?

If traffic reaches the FGT with the original IP of server2 there will be no answer because the FGT doesn't know that subnet nor has a route to it.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
emnoc
Esteemed Contributor III

I do not think you need to do anything but check for route to the src-address that server1 is SNAT to. What does diag sniffer packet show and the src_address that enters the  Fortigate ?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
shaan129
New Contributor

Dear All ,

 

I have the source route in place ... from Fortigate interface connecting to Cisco router i cna ping the server 2 and i am able to get the response as well only issue with NATing i guess and i got below response from the router team who is managing the Cisco router 

 

I captured the logs from the continuous ping done earlier and it looks like the traffic initiated from the server1 (192.168.255.254) is being NATed to the 10.249.107.98 (instead of 10.249.107.80 IP) before coming to the cisco router.

 

This is why when you try to ping the 10.249.107.80 from the server 2(10.249.104.x) it is not working as that NAT (192.168.255.254 - 10.249.107.80 ) is not working.

 

 

Regards

shaan

 

 

Regards

Shaan

 

Regards Shaan
Labels
Top Kudoed Authors