Fortigate Hair-pinning VIP - from DMZ to LAN (Internal access to DMZ with External Address)

 Thanks to: https://community.fortinet.com/


Technical Tip: Configuring Hairpin NAT (VIP)

Description
This article describes how to configure FortiGate for Hairpin with the use of set match-vip and match-vip-only.

 

 




In this scenario, both PC and Server are behind FortiGate and PC wants to connect to Server by pointing to its external address (92.0.2.10) instead of its real one (10.10.10.10).
This is called Hairpin NAT.
Scope

Fortigate

 

Solution

The solution will depend on how the Virtual IP (VIP) object.

Solution 1: External interface in the VIP is configured to particular interface (in this case to wan1)

External interface set to a particular interface, for instance wan1:
#config firewall vip
    edit "VIP"
        set extip 92.0.2.10
        set extintf 'wan1'
        set mappedip 10.10.10.10
    next
end
Note: In this scenario, the VIP external IP can be the same as interface IP (i.e 92.0.2.2)

Two policies are needed:

1) An incoming policy with VIP object as destination address and dmz as outgoing interface (interface server is behind). This would be the typical policy needed for making a device accessible from Internet.

2) An outgoing policy having as outgoing interface the same one defined as external interface in VIP object. In this case, this would be wan1.

#config firewall policy
    edit 1
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "VIP"             <----- VIP object.
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "internal"
        set dstintf "wan1"            <----- Same as external interface defined in VIP.
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Solution 2: External interface in the VIP object is configured to “any”
#config firewall vip
    edit "VIP"
        set extip 92.0.2.10
        set extintf 'any'
        set mappedip 10.10.10.10
    next
end
In this scenario, one policy from internal network directly to DMZ is sufficient:
#config firewall policy
    edit 3
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "VIP"             <----- VIP object.
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
Another possibility is to create the same policy as above is possible but with 'match-vip' enabled and 'all' as destination address instead:
Note: In FortiOS v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy When the ACTION of the policy is set to DENY, so you cannot use this possibility.
#config firewall policy
    edit 4
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set match-vip enable
    next
end
Note: For this configuration to work, another policy with the VIP as destination address must be active or Central NAT must be used.

Even though packet is destined to an external address, it is never forwarded to the Internet.
This packet always remains on the inside network since FortiGate will forward and translate it between interfaces.

If both the server and the PC are hosted behind the same LAN interface, the traffic used to implement the "LAN-LAN" policy prior to 6.4.3. In FortiOS 6.4.3 and higher, the traffic would match the "WAN-LAN" policy; see the traffic flow below for additional information.

 

In the below-mentioned example the Source "10.150.7.22" and the destination "10.5.55.218" are hosted behind the same Interface Port5:

 

External IP: 10.5.55.218,
Mapped IP: "10.150.4.58",
LAN Facing Interface: Port5
WAN Facing Interface: Port2

 

# config firewall vip

# edit "HAIRPIN-NAT"

# set uuid 15baccae-6e03-51ec-9819-8da608ba2c39
# set extip 10.5.55.218
# set mappedip "10.150.4.58"
# set extintf "any"
# set arp-reply disable
# set portforward enable
# set extport 10443
# set mappedport 443

# next

# end

# config firewall policy

# edit 13

# set name "WAN-LAN"
# set uuid 5d48ff10-6e07-51ec-d776-6809a6d67bf5
# set srcintf "port2"
# set dstintf "port5"
# set srcaddr "all"
# set dstaddr "HAIRPIN-NAT"
# set action accept
# set schedule "always"
# set service "ALL"

# next

# edit 14

# set name "activate-hairpin"
# set uuid 9cf01964-6e11-51ec-c4b7-880cc8ed68ab
# set srcintf "port5"
# set dstintf "port2"
# set srcaddr "all"
# set dstaddr "10.5.55.218"
# set action accept
# set schedule "always"
# set service "ALL"
# next

# end

 

Traffic Flow Debug Output:
# id=20085 trace_id=2031 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=6, 10.150.7.22:63152->10.5.55.218:10443) from port5. flag [S], seq 1502106178, ack 0, win 64240"
id=20085 trace_id=2031 func=init_ip_session_common line=5871 msg="allocate a new session-024e5953"
id=20085 trace_id=2031 func=fw_pre_route_handler line=182 msg="VIP-10.150.4.58:443, outdev-unknown"
id=20085 trace_id=2031 func=__ip_session_run_tuple line=3492 msg="DNAT 10.5.55.218:10443->10.150.4.58:443"
id=20085 trace_id=2031 func=vf_ip_route_input_common line=2584 msg="find a route: flag=05000000 gw-10.150.4.58 via port5"
id=20085 trace_id=2031 func=fw_forward_handler line=796 msg="Allowed by Policy-13: SNAT"

id=20085 trace_id=2031 func=__ip_session_run_tuple line=3478 msg="SNAT 10.150.7.22->10.150.7.218:63152"
id=20085 trace_id=2031 func=ipd_post_route_handler line=490 msg="out port5 vwl_zone_id 0, state2 0x0, quality 0.


Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Imagen
  Te traemos una guía con   31 aplicaciones y herramientas web para ayudarte como estudiante , una colección muy variada para sacar provecho en diferentes ámbitos en los que puedas necesitarlo. Nos hemos dejado fuera el ámbito educativo para los más jóvenes, recursos que tenemos en   esta otra guía , y nos hemos centrado en estudiantes más adultos. Hemos decidido centrarnos en herramientas prácticas, dejando fuera las plataformas para cursos online, tanto  las más conocidas  como  otras menos conocidas . Lo que hemos preferido buscar son recursos que puedas usar en tu día a día, como gestores de fuentes y citaciones, herramientas para diagramas, para intercambiar apuntes o para crear diferentes contenidos. Y lo que decimos siempre en Xataka Basics hoy cobra más sentido que nunca. Nosotros te traemos 31 herramientas, pero te invitamos a  compartir tus propuestas en la sección de comentarios  para que el resto de usuarios también pueda beneficiarse de los conocimientos de nuestros xatake
Leer más

Comando FOR para archivos BAT

Gracias a: http://profesoremiliobarco.blogspot.com/ El comando FOR sirve para ejecutar bucles de instrucciones, y es una instrucción que se encuentra disponible en todos los lenguajes de programación. Un bucle son varias repeticiones de algunas instrucciones. Este comando suele ser el más complicado de entender para las personas que empiezan a escribir archivos BAT complejos. Aqui intentaré explicar todas las opciones y usos del comando FOR, así como intentar resolver las dudas que los usuarios de Internet me puedan plantear. La sintaxis normal del comando FOR es: FOR %var IN (lista) DO (      comando     comando      ... )  Pero si lo vamos a usar dentro de un archivo BAT será así: FOR %%var IN (lista) DO (      comando     comando      ... ) Observa que la variable "var" ahora va precedida por dos simbolos de "%". Además, si este for está dentro de un archivo BAT, el nombre de la variable debe ser UNA SOLA LETRA (p.ej: %%n, %%i,  %%j , etc
Leer más

Policy Based Routing example: route one subnet via ISP A and another via ISP B

Imagen
thanks to: http://glennmatthys.wordpress.com/ Goal Setup a network with a Cisco router that routes one local subnet via internet connection A and another local subnet via internet connection B. In this example we’ll use one LAN side, which has two subnets: 192.168.1.0/24 192.168.2.0/24 We want traffic destined for the internet, originating from the 192.168.1.0/24 network, to be sent to ISP A, which is connected to FastEthernet0 We want traffic destined for the internet, originating from the 192.168.2.0/24 network, to be sent to ISP B, which is connected to FastEthernet1 Both internet connections get their IP address via DHCP. Prerequisites For this  configuration you’ll need: One dual WAN router, such as a 1811 Two internet connections (or simulated ones) 2 nodes, one for the 192.168.1.0/24 subnet and one for the 192.168.2.0/24 subnet. These can be two different computers, or two virtual machines, etc… ClientA, Windows 7, will connect to 192.168.1.0/24 and sur
Leer más