IC Knowledge Base

Fortigate Hairpin NAT

This article describes the configuration needed for Hairpin NAT.

Scenario: Internal user ("PC" in the follow diagram) needs to access Server (10.10.10.10)

 

 


In this scenario, both PC and Server are behind FortiGate and PC wants to connect to Server by pointing to its external address (172.16.1.10) instead of its real one (10.10.10.10). This is called Hairpin NAT.

 

 

Solution

 

The solution will depend on how the Virtual IP (VIP) has been configured in first place, specifically the value set to the external interface option set in the VIP. 

=> External interface set to a particular interface, for instance wan1:

config firewall vip
    edit "VIP"
        set extip 172.16.1.10
        set extintf "wan1"
        set mappedip 10.10.10.10
    next
end



Two policies are needed:

1. An incoming policy with VIP object as destination address and dmz as outgoing interface (interface server is behind). This would be the typical policy needed for making a device accessible from Internet.

config firewall policy
    edit 1
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "VIP"   <--- VIP object
        set action accept
        set schedule "always"
        set service "ALL"

    next
end


2. An outgoing policy having as outgoing interface the same one defined as external interface in VIP object. In this case this would be wan1.

config firewall policy
    edit 2
        set srcintf "internal"
        set dstintf "wan1"  <-- Same as external interface defined in VIP
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end


=> External interface set to any:

config firewall vip
    edit "VIP"
        set extip 172.16.1.10
        set extintf "any"
        set mappedip 10.10.10.10
    next
end


One policy is needed:

1) An outgoing policy with VIP object as destination address and dmz as outgoing interface (interface server is behind)

config firewall policy
    edit 3
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "VIP"   <--- VIP object
        set action accept
        set schedule "always"
        set service "ALL"

    next
end


Or you can also create the same policy as above but with "match-vip" enabled and "all" as destination address instead:

config firewall policy
    edit 3
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "all"
        set action accept  
        set schedule "always"
        set service "ALL"
        set match-vip enable
 
    next
end


Notes:
- Even though packet is destined to an external address, it is never forwarded to the Internet. This is, packet always remains on the inside network since FortiGate will forward and translate it between interfaces.
- If both PC and Server are behind the same interface, same rules apply. In this case, outgoing and incoming interfaces will be the same in policy #3.

 

4.33 (3)
Article Rating (3 Votes)
Rate this article
Attached Files
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Name
Email
Security Code Security Code
Related Articles RSS Feed
Fortigate Phase 2 Keep Alive
Viewed 3234 times since Thu, Jul 26, 2018
How to configure DNS based FortiGuard web filtering with FortiOS v5.4
Viewed 6704 times since Wed, Aug 2, 2017
FortiGate MAC host check on SSL VPN
Viewed 7594 times since Fri, Aug 31, 2018
Technical Note: Error ’Unable to establish the VPN connection. The VPN server may be unreachable. (-5)’ on FortiClient with SSL VPN
Viewed 43988 times since Mon, Aug 7, 2017
Technical Note: DNS resolution not working when DNS Server configured to ’Same as Interface IP’
Viewed 9653 times since Wed, Aug 9, 2017
Full (Deep) SSL Inspection - Avoid certificate errors
Viewed 7209 times since Thu, Jul 26, 2018
Fortigate SSL/TLS Handshake fails
Viewed 7786 times since Wed, Dec 6, 2017
Fortigate DC Replication RPC port 135 Session-Helper
Viewed 6435 times since Wed, Dec 6, 2017
Technical Note: Custom NTP server configuration
Viewed 4357 times since Fri, Aug 11, 2017
Internet Central Limited, Innovation Centre 2, Keele Science Park, Keele, Staffordshire ST5 5NH
Registered Office: Ivy House Foundry, Hanley, Stoke-on-Trent, ST1 3NR
Registered in England: Reg No. 03079542 VAT Reg No. GB 278 923 705
Contact Us |Terms & Conditions |Legal, Privacy and Cookies
All prices exclude VAT E.&O.E © 2015 Internet Central

All trademarks and logos appearing on the site are the property of their respective owners