dnat without vip
Is there any way to use dnat without a vip? I have the following situation:
clients pc --- fortigate ---- other device --- 192.168.5.5
I would like to achieve:
a) - A client with ip 10.10.10.10 if want to go to dst:192.168.5.5 then it dnat-ed to dst:192.168.6.6.
b) -while other clients if want to go to dst:192.168.5.5 then no-nat-ed, so dst:192.168.5.5 is unchanged and simply forward to the dst.
My problem is that the 'external ip' is not on fortigate, and when I create a DNAT & Virtual IP with:
External IP address/range : 192.168.5.5
Mapped IP address/range : 192.168.6.6
Optional filter / Source address : 10.10.10.10
Then a) seems to work, there is dnat-ed outgoing packets and replies, but b) doesn't work, and the diag flow shows:
"iprope_in_check() check failed on policy 0, drop", as I think fortigate knows 192.168.5.5 is local address because of vip.
So is there a way using only dnat without local vip, or do you have any idea how to solve this problem?
Ps: the network is a little bit complicated than this, there are more "clients" and those have config with fix destination servers, so this way I would like to send some "clients" to another server.
Than you for reading me