Hot!Central NAT - DNAT configuration

Author
DamianLozano
Bronze Member
  • Total Posts : 55
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
2020/08/18 08:48:02 (permalink)
0

Central NAT - DNAT configuration

Hello,
 
I just installed a new fortigate and for first time enabled "central NAT" from cli 
I created a SNAT rule for each outgoing Internet connection and I think these rules are working because I can browse Internet
Now I want to forward the port TCP 81 to 10.1.1.234 because I need to access there from Internet.
I created the following "DNAT & Virtual IP":
Interface: lan (I dont know if this should be the source or destination interface, but I tested with each with no luck)
Source Interface Flter: disabled
External IP Address/Range: PublicIP
Mapped IP Address/Range: 10.1.1.234
Optional Filters: disabled
Port Forwarding: enabled
Protocol: TCP
External Service Port: 81
Map to Port: 81
 
I can connect from inside with "telnet 10.1.1.234 81" but I can not connect from outside with "telnet publicIP 81", so the "DNAT & Virtual IP" is not working
What is wrong?
 
Thanks in advance.
Regards,
Damián
 
 
#1

19 Replies Related Threads

    poundy
    Silver Member
    • Total Posts : 61
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 20:58:45
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/19 03:22:52 (permalink)
    0
    do you have a policy to permit inbound connection to the VIP ? I suspect that's all you're missing...
    The next thing I'll point you to is "diag debug flow". For example have a look at this page for inspiration https://marktugbo.com/2017/07/04/tools-flow-trace-in-fortigate/ but a simplistic version for you would be something like:
    diag debug disable
    diag debug flow filter daddr 10.1.1.234
    diag debug flow filter port 81
    diag debug flow show function-name enable
    diag debug flow trace start 10
    diag debug enable
    ... and then look at what info you get from there.
    #2
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/19 06:04:20 (permalink)
    0
    Hello people!
     
    You were right, the traffic is being blocked by the implicit policy:
    id=20085 trace_id=1 func=print_pkt_detail line=5573 msg="vd-root:0 received a packet(proto=6, SRCpublicIP:53495->WAN1IP:81) from wan. flag , seq 4175373843, ack 0, win 64240"
    id=20085 trace_id=1 func=init_ip_session_common line=5744 msg="allocate a new session-01b345f2"
    id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-WAN1IP via root"
    id=20085 trace_id=1 func=fw_local_in_handler line=412 msg="iprope_in_check() check failed on policy 0, drop"
     
    The problem is that I cannot select the new "DNAT & Virtual IP" in a policy, I just added temporarily a policy to allow everything from wan to lan with no luck
    I tried it in many ways with no luck
    Fortigate should have better documentation about its features
     
    Do you know any document about how to forward a port from skratch?
    Can you explain this to me?
    I assisted a NSE4 course but we never seen this
     
    Thanks in advance
    Regards,
    Damián
    #3
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/19 06:23:58 (permalink)
    0
    I just found the following in the Lab guide of the NSE4:
     
    "You can't select VIPs previously created in a firewall policy as a destination address.
    As soon as a VIP object is created, FortiGate automatically creates a rule in the kernel for DNAT to occur"
     
    The guide asked me to enable a rule but the lab stopped being available when the curse ended
    Image attached
     
    Regards

    Attached Image(s)

    #4
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/25 07:28:17 (permalink)
    0
    No one knows Central NAT?
    Regards
    Damián
    #5
    poundy
    Silver Member
    • Total Posts : 61
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 20:58:45
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/25 14:07:56 (permalink)
    0
    i think nobody cared when you said you were doing this all as part of a course and you have no access to a lab, and when the lab notes explicitly said you can't do what you tried to do. 
    #6
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/25 14:36:08 (permalink)
    0
    This is not as part of a course, this is an issue in a fortigate that I configured for a customer, which is in production right now
    I did the NSE4 course before and there I learn that there is something called "Central NAT" but they dont explain this well enought or I missed something.
    I still need to forward some port but I could not find anything usefull in the course pdfs
     
    Regards,
    Damián
    #7
    poundy
    Silver Member
    • Total Posts : 61
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 20:58:45
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/25 14:49:47 (permalink)
    0
    so then what is your problem exactly ? You need a policy permitting port81 traffic. 
     
    Take this out of theoretical. Show us the configuration commands you have in place and what you have tried??!
    #8
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/26 10:31:04 (permalink)
    0
    Hello,
     
    I cannot forward port TCP 81, this is the problem
    Temporarily added a rule to allow everything from WAN to LAN but nothing changed
    The dst-nat is the following:
    config firewall vip
    edit "Example"
    set uuid 71b50130-e166-51ea-3826-075742213cf8
    set comment "Ejemplo de publicacion de puerto"
    set extip 179.60.208.66
    set extintf "any"
    set portforward enable
    set color 18
    set mappedip "10.1.1.234"
    set extport 81
    set mappedport 81
    next
    end
     
    Regards,
    Damian
    #9
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/26 12:48:47 (permalink)
    0
    Can we see the fw-policy that uses that VIP? Also do you have any other rules that are deny? You might need to set match vip enable.
     
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD33338
     
    Also do not forget rule order-seq, but since your hitting implicit deny, I don't think that is the issue.
     
    And lastly, if the rule has a DNAT-VIP, make sure you do not enable nat in the policy.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #10
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/27 07:52:23 (permalink)
    0
    Thanks for your response.
     
    There is not any rule in sd-wan -> lan
    This is because I could not select a VIP in a policy.
    I added temporarily a rule to allow everything but as this does not solve the issue I deleted this.
    So, every time I need to create a VIP I need to do the following?
    - Create a rule
    - Enable the match-vip from cli
    - Match VIP in the rule
     
    This does not make a sense to me
    In this case, what is "Central NAT" for?
    I thought that no rule is needed with "Central NAT", that is what I understood in the course. 
     
    Regards,
    Damián
     
    #11
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/08/27 10:43:08 (permalink)
    0
      So, every time I need to create a VIP I need to do the following?
    - Create a rule
    - Enable the match-vip from cli
    - Match VIP in the rule

     
    Yes you need a policy if that what you mean by rule. No policy and without the vip defined for the destination is not going to work. All traffic is controlled by the policy.
     

    In this case, what is "Central NAT" for?

     
    A central nat table just provides a central table for nat-translation but for SNAT A vip is not controlled by the central-nat table. In fact the name suggest it's a snat-map.
     
    People who like central-nat table are mainly people that come from the  checkpoint,juniper,ciscoASA,palo shop since it does or work nearly the same.
     
    If you enabel central-snat you do NOT use nat in your polic, the table manages the SNATs. 
     
    Read more here.
    https://help.fortinet.com/cli/fos60hlp/60/Content/FortiOS/fortiOS-cli-ref/config/firewall/central-snat-map.htm
     
    ;)
     
    BTW SANT has nothing to do with your vip, fwiw
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #12
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/09/01 05:58:52 (permalink)
    0
    Hello again,
     
    I hope I dont need to explain again that although I attached an image from a course, this is about a real fortigate in a production environment (the course ended some weeks before, the lab is not already available)
      
    I finally could test, did the following:
    - Added a service for port 81
    - Added a rule from sd-wan to lan for this service
    - Tried to enable match-vip for this policy as https://kb.fortinet.com/kb/documentLink.do?externalID=FD33338 but failed
     
    FGT # config firewall policy
    FGT (policy) # edit 5
    FGT (5) # set match-vip enable

    command parse error before 'match-vip'
    Command fail. Return code -61
     
     
    So, I attached again the image from the lab guide which I followed when did the course
    In this image you can see, the following words from fortigate: "As soon as VIP object is created, Fortigate automatically creates a rule in the kernel for DNAT to occur", which I interpreted as: "I dont need to create a policy"
     
    Which is the problem here?
    If I need to enable match-vip for the rule, which is the proper command to accomplish this?
     
    Regards,
    Damián

    Attached Image(s)

    #13
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/09/01 07:28:20 (permalink)
    0
    Not sure what you doing but 1st let's start with tis
     

    "As soon as VIP object is created, Fortigate automatically creates a rule in the kernel for DNAT to occur", which I interpreted as: "I dont need to create a policy"

     
    Creating a vip does NOT side-step the need for a rule. I'm not sure why you keep bring this up.
     
    2nd let's see the fw-policy #5 
     
    ( from cli using the above mention policyid5  ) 
     
    show full firewall policy 5 
     
     
    Let's see your vip so we can fully understand what your doing 
     
    show full firewall vip 
     
    Can you give us those 2 outputs from the cli?
     
    Ken Felix
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #14
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/09/01 07:41:40 (permalink)
    0
    Sure, thanks for your reply,
     
    FGT # show full firewall policy 5 
    config firewall policy
        edit 5
            set name "DVR"
            set uuid a6d824f4-ec4d-51ea-7f07-66b8d321df2d
            set srcintf "virtual-wan-link"
            set dstintf "lan"
            set srcaddr "all"
            set dstaddr "DVRs"
            set internet-service disable
            set internet-service-src disable
            set rtp-nat disable
            set learning-mode disable
            set action accept
            set status enable
            set schedule "always"
            set schedule-timeout disable
            set service "Web2"
            set dscp-match disable
            set utm-status disable
            set logtraffic utm
            set logtraffic-start disable
            set auto-asic-offload enable
            set np-acceleration enable
            set permit-any-host disable
            set permit-stun-host disable
            set session-ttl 0
            set vlan-cos-fwd 255
            set vlan-cos-rev 255
            set wccp disable
            set fsso disable
            set disclaimer disable
            set natip 0.0.0.0 0.0.0.0
            set diffserv-forward disable
            set diffserv-reverse disable
            set tcp-mss-sender 0
            set tcp-mss-receiver 0
            set comments ''
            set block-notification disable
            set replacemsg-override-group ''
            set srcaddr-negate disable
            set dstaddr-negate disable
            set service-negate disable
            set timeout-send-rst disable
            set captive-portal-exempt disable
            set ssl-mirror disable
            set scan-botnet-connections disable
            set dsri disable
            set radius-mac-auth-bypass disable
            set delay-tcp-npu-session disable
            unset vlan-filter
            set profile-protocol-options "default"
            set traffic-shaper ''
            set traffic-shaper-reverse ''
            set per-ip-shaper ''
        next
    end
     
    FGT # show full firewall vip
    config firewall vip
        edit "DVR"
            set id 0
            set uuid 71b50130-e166-51ea-3826-075742213cf8
            set comment "Port 81 to DVR"
            set type static-nat
            set extip 179.60.208.66
            set extintf "any"
            set arp-reply enable
            set nat-source-vip disable
            set portforward enable
            set gratuitous-arp-interval 0
            set color 18
            set mappedip "10.1.1.234"
            set protocol tcp
            set extport 81
            set mappedport 81
            set portmapping-type 1-to-1
        next
    end

     
    Regards,
    Damián
    #15
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/09/01 09:22:20 (permalink)
    0
    The custom service web2 is that set for tcp.port 81? What I would do is run "diag debug flow" and look for traffic and the match.
     
       
       diag debug flow filter port 81
       diag debug flow filter addr 179.60.208.66
       diag debug enable
       diag debug flow trace start 10
     
    Then start some traffic and look and update what you see.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #16
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/09/01 11:00:08 (permalink)
    0
    Hello, thanks for your response
     
    The custom service web2 is that set for tcp.port 81?

    Yes, only TCP 81
     
    I already did a debug flow and pasted it in a previous note of this post:
    id=20085 trace_id=1 func=print_pkt_detail line=5573 msg="vd-root:0 received a packet(proto=6, SRCpublicIP:53495->WAN1IP:81) from wan. flag , seq 4175373843, ack 0, win 64240"
    id=20085 trace_id=1 func=init_ip_session_common line=5744 msg="allocate a new session-01b345f2"
    id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-WAN1IP via root"
    id=20085 trace_id=1 func=fw_local_in_handler line=412 msg="iprope_in_check() check failed on policy 0, drop"

    There is not a rule to allow this traffic
     
    Regards,
    Damián
    #17
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/09/01 11:43:29 (permalink)
    0
    Do us a favor, please take the ext-ip of the vip and ensure it's not being used else where the fortigate?
     
    (i.e using  179.60.208.66 )
     
     
    #cli
     
     
    show full | grep -f 179.60.208.66 
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #18
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/09/01 13:07:43 (permalink)
    0
    Hello, thanks for your help
     
    I just checked again and I could connect with the correct IP.
    I saw that the VIP had the external IP of the secondary WAN connection, when I changed it to use the primary WAN connection started working, then I changed it again to the secondary and worked again.
    I dont know what happened there because when I do the test the first time I used the correct IP and I had created a rule to allow everything just for some minutes for testing purpouse.
     
     
    Thanks.
    Regards,
    Damián
    #19
    DamianLozano
    Bronze Member
    • Total Posts : 55
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Central NAT - DNAT configuration 2020/09/01 14:09:54 (permalink)
    0
    I started before with Mikrotik and I like it (I know about the pros of fortigate, of course)
    When I did the NSE4 course I started to like fortigate a little more than before but still prefer Mikrotik for almost everything
    There is a very huge diference about the documentation of both, this is why I like Mikrotik, there are a lot of insignificant documentation about fortigate, there are a lot of pages with useless information
    An exaple of useless documentation is something like this:
    To create an IPsec VPN do the following:
    Go to VPN IPsec
    Click on create new
    Complete field 1
    Complete field 2
    Complete field 3
    Click finnish

    I have find a lot of fortigate pages like this, do you understand why is this useless?  Somewhere should say which is every field, which kind of VPN is that, what is this for, etc.
     
    And I think this is why this post take too much time, a lot of suggestion to do useless steps, a lot of ignorance about a lot of fortigate features (I am the first with ignorance)
    Of course I find some time some good fortigate documentation but I need to have a very lucky day
    I think fortigate should improve its documentation, but this will take a lot of day of work for the people with enought knowledge.
     
    Regards,
    Damián
    #20
    Jump to:
    © 2020 APG vNext Commercial Version 5.5