Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marypoppins
New Contributor II

dnat without vip

Dear All,

 

 

Is there any way to use dnat without a vip? I have the following situation:

clients pc  --- fortigate ---- other device ---  192.168.5.5

                                                                 |_  192.168.6.6

I would like to achieve:

a) - A client with ip 10.10.10.10 if want to go to dst:192.168.5.5 then it dnat-ed to dst:192.168.6.6.

b) -while other clients if want to go to dst:192.168.5.5 then no-nat-ed, so dst:192.168.5.5 is unchanged and simply forward to the dst.

 

My problem is that the 'external ip' is not on fortigate, and when I create a DNAT & Virtual IP with:

External IP address/range : 192.168.5.5

Mapped IP address/range : 192.168.6.6

Optional filter / Source address : 10.10.10.10

Then a) seems to work, there is dnat-ed outgoing packets and replies, but b) doesn't work, and the diag flow shows:

"iprope_in_check() check failed on policy 0, drop", as I think fortigate knows 192.168.5.5 is local address because of vip.

So is there a way using only dnat without local vip, or do you have any idea how to solve this problem?

Ps: the network is a little bit complicated than this, there are more "clients" and those have config with fix destination servers, so this way I would like to send some "clients" to another server.

 

Than you for reading me

1 Solution
Toshi_Esumi
Esteemed Contributor III

I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298

View solution in original post

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet. https://kb.fortinet.com/k....do?externalID=FD33298

Kangming

B) Should access DST 192.168.6.6 

 

dst:192.168.5.5 cannot exist in two places.

Thanks

Kangming

Toshi_Esumi
Esteemed Contributor III

You should open a ticket at TAC if a KB doesn't work.

marypoppins

Thank you for answering me. However in my case the load balancing is unnecessary. But you helped me a lot, because I finally i saw your link a line, which is the solution:

set arp-reply disable

 

Thank you

ede_pfau
Esteemed Contributor III

Thank you for that excellent observation, easily to be overlooked. Of course, responding to arp in this case, from 2 different hosts, will lead to confusion.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
marypoppins

There is no two host with the same ip address in this scenario. There is a router/fw which forward the packets, and if the dst address is the host with ipA for a packet then it forwards that packet to an other destination. With other words the external ip is not on the fortigate. That is all.

 

Thank you

Labels
Top Kudoed Authors