FortiGate D-NAT with enabled Central-NAT

 Problem

When the Central NAT function is enabled, the behavior and configuration of the NAT changes.
Also this of the Destination NAT. 
The question is, how do I configure an inbound NAT when Central NAT is enabled?

Solution

When Central NAT is enabled, it is not necessary to add the VIP object into the firewall policy as destination address. This is a normal behavior due to the fact that, in a Central NAT status, the DNAT is injected to the kernel since the object is created into the Policy & Objects -> DNAT & Virtual IPs.

The only thing you have to do is to create a Virtual-IP object:

After that we need an appropriate Firewall Policy:

Which IP-Address as Destination is the right one?

Bevor FortiOS 6.4.3: -> Use the internal IP Address as destination (in my case: 172.16.51.12)
After FortiOS 6.4.3 -> Use the external IP Address as destination (in my case: 10.10.10.250)

What's happen with the 'match-vip-only' option?

Starting from 6.2 there is a new feature 'match-vip-only' to applied to a policy when Central NAT is enabled, CLI only (disabled by default).
If it is disabled, traffic from SDWAN to LAN with 172.16.51.12 (internal ip) or 10.10.10.250 (external ip) as destination will be allowed.


If 'match-vip-only' is enabled the policy will be matched only if a DNAT is applied before , so only traffic from SDWAN to LAN with destination 10.10.10.250 (external ip) will match the policy.
This behavior has changed starting from FortiOS 6.4.3 where match-vip-only is not configurable and there are no options to change this config.

Comments

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

FortiGate as DNS Server or DNS Proxy

FortiGate and Windows L2TP / IPsec with Split Tunneling