AnsweredHot!dnat without vip

Author
marypoppins
New Member
  • Total Posts : 12
  • Scores: 2
  • Reward points: 0
  • Joined: 2021/07/22 04:11:30
  • Status: offline
2021/09/23 14:37:54 (permalink)
0

dnat without vip

Dear All,
 
 
Is there any way to use dnat without a vip? I have the following situation:
clients pc  --- fortigate ---- other device ---  192.168.5.5
                                                                 |_  192.168.6.6
I would like to achieve:
a) - A client with ip 10.10.10.10 if want to go to dst:192.168.5.5 then it dnat-ed to dst:192.168.6.6.
b) -while other clients if want to go to dst:192.168.5.5 then no-nat-ed, so dst:192.168.5.5 is unchanged and simply forward to the dst.
 
My problem is that the 'external ip' is not on fortigate, and when I create a DNAT & Virtual IP with:
External IP address/range : 192.168.5.5
Mapped IP address/range : 192.168.6.6
Optional filter / Source address : 10.10.10.10
Then a) seems to work, there is dnat-ed outgoing packets and replies, but b) doesn't work, and the diag flow shows:
"iprope_in_check() check failed on policy 0, drop", as I think fortigate knows 192.168.5.5 is local address because of vip.
So is there a way using only dnat without local vip, or do you have any idea how to solve this problem?


Ps: the network is a little bit complicated than this, there are more "clients" and those have config with fix destination servers, so this way I would like to send some "clients" to another server.
 
Than you for reading me
#1
Toshi Esumi
Expert Member
  • Total Posts : 2741
  • Scores: 273
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: dnat without vip 2021/09/23 15:45:29 (permalink) ☼ Best Answerby marypoppins 2021/09/24 10:35:44
0
I haven't tested this but try this example. Seems to match what you want to do. I found this by just searching "fortigate conditional vip" on the internet.
https://kb.fortinet.com/k....do?externalID=FD33298
#2
Kangming_FTNT
Silver Member
  • Total Posts : 63
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/09/17 18:55:22
  • Status: online
Re: dnat without vip 2021/09/24 09:42:09 (permalink)
0
B) Should access DST 192.168.6.6 
 
dst:192.168.5.5 cannot exist in two places.

Thanks
Kangming
#3
Toshi Esumi
Expert Member
  • Total Posts : 2741
  • Scores: 273
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: dnat without vip 2021/09/24 10:00:37 (permalink)
0
You should open a ticket at TAC if a KB doesn't work.
#4
marypoppins
New Member
  • Total Posts : 12
  • Scores: 2
  • Reward points: 0
  • Joined: 2021/07/22 04:11:30
  • Status: offline
Re: dnat without vip 2021/09/24 10:34:01 (permalink)
5 (1)
Thank you for answering me. However in my case the load balancing is unnecessary. But you helped me a lot, because I finally i saw your link a line, which is the solution:
set arp-reply disable
 
Thank you
#5
ede_pfau
Expert Member
  • Total Posts : 6514
  • Scores: 565
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: dnat without vip 2021/09/26 04:14:42 (permalink)
0
Thank you for that excellent observation, easily to be overlooked. Of course, responding to arp in this case, from 2 different hosts, will lead to confusion.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#6
marypoppins
New Member
  • Total Posts : 12
  • Scores: 2
  • Reward points: 0
  • Joined: 2021/07/22 04:11:30
  • Status: offline
Re: dnat without vip 2021/09/26 23:48:15 (permalink)
0
There is no two host with the same ip address in this scenario. There is a router/fw which forward the packets, and if the dst address is the host with ipA for a packet then it forwards that packet to an other destination. With other words the external ip is not on the fortigate. That is all.
 
Thank you
#7
Jump to:
© 2021 APG vNext Commercial Version 5.5