Hot!Source IP passthrough to nat clients

Author
junglecom
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/02/18 23:35:41
  • Status: offline
2013/03/26 23:20:57 (permalink)
0

Source IP passthrough to nat clients

Hi All,

I am NATing 2 servers through a fortigate firewall.

Internet
|
Fortigate (NAT)
| |
VM1 VM2


When I check the access logs on the servers being NATed (VM1, VM2) all the traffic has the source IP of the fortigate server. How can I make it so the original source IP is sent down the NAT to the destination servers?

Thank you


< Message edited by junglecom -- 3/26/2013 11:31:24 PM >
#1

16 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6127
    • Scores: 496
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/03/27 05:07:54 (permalink)
    0
    Uncheck the NAT checkbox in the policy in which you use the VIP.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    junglecom
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/02/18 23:35:41
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/03/28 02:37:46 (permalink)
    0
    If I uncheck the NAT box then NAT no longer works and I can no longer access my server. I am using static nat

    Are you sure about this?
    < Message edited by junglecom -- 3/28/2013 2:46:51 AM >
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6127
    • Scores: 496
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/03/28 02:52:37 (permalink)
    0
    There are 2 sorts of NAT:
    1. destination NAT - the destination address is substituted
    in FortiOS this is realised via VIP

    2. source NAT - the source address is substituted
    in FortiOS, if you check " NAT" in the policy, source address is exchanged for the address of the egress interface
    if you check " dynamic NAT" and specify an IP pool, then addresses from the pool are used instead of the interface address.

    The symptoms you gave indicate that you are using source NAT. Public access to an internal server via VIP works without source NAT. So if you cannot reach your servers anymore after disabling (source) NAT then your setup is incorrect.

    - to which interface does your default route point to?
    - how do you check that a server is accessible? ping doesn' t work if you port-forward!

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    junglecom
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/02/18 23:35:41
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/03/28 23:55:10 (permalink)
    0
    OK i must have this configured wrong then.

    Default route I am not sure about. I have 3 interfaces:
    Global with static route gateway02
    Management with static route gateway01
    Private with no gateway

    I have a VIP (59.222.94.5) that is mapped to a server with the private IP (172.18.0.67). It is a one to one mapping. (static NAT)

    My policy is attached as a screenshot.

    I test by trying to ssh into the server.




    Attached Image(s)

    #5
    emnoc
    Expert Member
    • Total Posts : 5389
    • Scores: 353
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/03/31 21:39:54 (permalink)
    0
    Disable the enable NAT check box and you should be fine. With VIPs you don' t need to enable NAT.

    < Message edited by emnoc -- 3/31/2013 9:40:12 PM >

    PCNSE 
    NSE 
    StrongSwan  
    #6
    junglecom
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/02/18 23:35:41
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/01 02:55:58 (permalink)
    0
    If I do that I can no longer access the server via ssh or anything else. Thats my issue here. Here is my VIP settings

    < Message edited by junglecom -- 4/1/2013 3:08:27 AM >

    Attached Image(s)

    #7
    ede_pfau
    Expert Member
    • Total Posts : 6127
    • Scores: 496
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/02 00:55:56 (permalink)
    0
    You haven' t answered my question yet: which routes do you have installed, esp. for the private LAN? -> Routing Monitor

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #8
    junglecom
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/02/18 23:35:41
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/02 18:06:30 (permalink)
    0
    Sorry, I didn' t know how to answer. Thanks for the tip. Here are my routes.





    < Message edited by junglecom -- 4/2/2013 6:06:45 PM >

    Attached Image(s)

    #9
    ede_pfau
    Expert Member
    • Total Posts : 6127
    • Scores: 496
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/03 03:31:11 (permalink)
    0
    OK, imagine you are a packet from an arbitrary address coming in on port2, destination 59.22.94.5 which is your server. The FGT translates your destination IP address to 172.18.0.67 and forwards you to port3 where the server is found using ARP. All of this WITHOUT checking the NAT box in the policy, as it should be.

    Now, the server responds. Destination address now is some address on the internet.
    First, the server looks up it' s own routing table where hopefully it finds 172.18.0.1, the port3 address of the FGT, as the default gateway. IF THIS IS NOT THE CASE any return traffic must fail!

    Now you (the reply packet) reach the FGT on port3. Looking into the routing table, this address is matched by 2 routes: one to port1, one to port2.

    Which one to take??

    Depending on the server' s address, being either odd or even, port1 or port2 will be chosen. So depending on the server' s address you are forwarded to the wrong port and discarded. From the outside it looks like the packet has never reached the server but that' s not true.

    So, do the following:
    - clarify which port leads to the internet
    - create one default route to this port
    - if you cannot reach any host on the port1 subnet anymore, the routing there is wrong
    - you should be able to ping your server from the internet now




    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #10
    emnoc
    Expert Member
    • Total Posts : 5389
    • Scores: 353
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/03 08:43:38 (permalink)
    0
    Since your all over with posting this same problem;



    - create one default route to this port

    Remove that 2nd route, remove your check NAT enable block and you should be golden.

    PCNSE 
    NSE 
    StrongSwan  
    #11
    junglecom
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/02/18 23:35:41
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/03 19:10:26 (permalink)
    0
    Thanks everyone for your input! Please let me start over here, since I still am unable to get this working. Below is all my settings simplified. Anyone see what I am missing here? Thank you very much for your help!

    Attached Image(s)

    #12
    emnoc
    Expert Member
    • Total Posts : 5389
    • Scores: 353
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/03 21:53:28 (permalink)
    0
    like the other thread



    Attached Image(s)


    PCNSE 
    NSE 
    StrongSwan  
    #13
    junglecom
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/02/18 23:35:41
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/03 22:04:29 (permalink)
    0
    Sorry I started my config over removing all unnecessary IPs, since I still am unable to get this working. Below is all my settings simplified (reposted). Anyone see what I am missing here? Thank you very much for your help! (VIP Updated)

    Attached Image(s)

    #14
    junglecom
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/02/18 23:35:41
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/09 22:28:13 (permalink)
    0
    Sorry for being a nitwit here but figured out the issue.

    Rule number #1 of IT: Always check the firewall of the server first.

    My co-worker, unknown to me, had set iptables to only accept traffic from fortigate private ip address.
    This is why i could access with incoming NAT turned on and not with it OFF. Cause the source IP would change to the original public IP of the source traffic.

    Thank you all for your help with this.
    #15
    ede_pfau
    Expert Member
    • Total Posts : 6127
    • Scores: 496
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Source IP passthrough to nat clients 2013/04/10 01:34:47 (permalink)
    0
    wow, what a real blooper! Hope you told him some...

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #16
    danielsuarez
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/11/29 07:36:42
    • Status: offline
    Re: RE: Source IP passthrough to nat clients 2019/11/29 08:08:03 (permalink)
    0
    And 6 years later, I carefully followed this post since I was facing the exact same problem, just to realize my local resource was also only allowing traffic from the FortiGate private address. So, thank you junglecom, haha.
    #17
    Jump to:
    © 2019 APG vNext Commercial Version 5.5