Fortigate は基本的に送信元 NAT は Pool を使用し、宛先 NAT は VIP を使用しますが、送信元 NAT に VIP(1対1の変換)を適用する事も可能です。
なお、VIP の設定が送信元 NATに利用されるには Inbound Policy が必要です。
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping from internal to external IP addresses
Important note :?even if no connection needs to be initiated from external to internal, the?firewall policy number 2 is required?in order to activate the VIP range. Otherwise the IP address of the physical interface is used for NAT. In this example it is set as a "DENY" firewall policy for security purpose.
以下、検証環境と設定例になります。
FG01の設定
LAN の設定(FG01)
FG01 (port3) # show
config system interface
edit "port3"
set vdom "root"
set ip 172.16.1.254 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 3
set macaddr 00:0c:29:87:90:99
next
endWAN の設定(FG01)
FG01 (port2) # show
config system interface
edit "port2"
set vdom "root"
set ip 10.1.1.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 2
set macaddr 00:0c:29:87:90:8f
next
endIPsec P1の設定(FG01)
FG01 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "Site-to-Site"
set interface "port2"
set remote-gw 10.1.1.2
set psksecret ENC
next
endIPsec P2の設定(FG01)
FG01 (phase2-interface) # show
config vpn ipsec phase2-interface
edit "Site-to-Site"
set phase1name "Site-to-Site"
next
endスタティックルートの設定(FG01)
FG01 (static) # show
config router static
edit 1
set dst 10.1.1.102 255.255.255.255
set device "Site-to-Site"
next
edit 2
set dst 10.1.1.202 255.255.255.255
set device "Site-to-Site"
next
endVIP(宛先 NAT)の設定(FG01)
FG01 (vip) # show
config firewall vip
edit "FG01-to-FG02_VIP01"
set uuid 9c446d74-e3e0-51e5-23f6-655d05b2a6a7
set extip 10.16.2.100
set extintf "port3"
set mappedip "10.1.1.102"
next
edit "FG01-to-FG02_VIP02"
set uuid aef324ec-e3e0-51e5-689e-04209afa2da1
set extip 10.16.2.200
set extintf "port3"
set mappedip "10.1.1.202"
next
edit "FG02-to-FG01_VIP01"
set uuid 8ec4c5bc-e4a9-51e5-033e-de1418a24742
set extip 10.1.1.101
set extintf "Site-to-Site"
set mappedip "172.16.1.100"
next
edit "FG02-to-FG01_VIP02"
set uuid 9fd68fac-e4a9-51e5-7663-57222dfa5fa2
set extip 10.1.1.201
set extintf "Site-to-Site"
set mappedip "172.16.1.200"
next
endPolicy の設定(FG01)
FG01 (policy) # show
config firewall policy
edit 1
set name "VPN_FG01-to-FG02"
set uuid f891e92a-e3e1-51e5-0e3b-91fa14308e4c
set srcintf "port3"
set dstintf "Site-to-Site"
set srcaddr "all"
set dstaddr "FG01-to-FG02_VIP01" "FG01-to-FG02_VIP02"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "VPN_FG02-to-FG01"
set uuid 1b781702-e3e2-51e5-4422-9f9a73aa7fed
set srcintf "Site-to-Site"
set dstintf "port3"
set srcaddr "all"
set dstaddr "FG02-to-FG01_VIP01" "FG02-to-FG01_VIP02"
set action accept
set schedule "always"
set service "ALL"
next
endPolicy の設定(FG01)GUI版
FG02の設定
LAN の設定(FG02)
FG02 (port3) # show
config system interface
edit "port3"
set vdom "root"
set ip 172.16.2.254 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 3
set macaddr 00:0c:29:5c:5b:53
next
endWAN の設定(FG02)
FG02 (port2) # show
config system interface
edit "port2"
set vdom "root"
set ip 10.1.1.2 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 2
set macaddr 00:0c:29:5c:5b:49
next
endIPsec P1の設定(FG02)
FG02 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "Site-to-Site"
set interface "port2"
set remote-gw 10.1.1.1
set psksecret ENC
next
endIPsec P2の設定(FG02)
FG02 (phase2-interface) # show
config vpn ipsec phase2-interface
edit "Site-to-Site"
set phase1name "Site-to-Site"
next
endスタティックルートの設定(FG02)
FG02 (static) # show
config router static
edit 1
set dst 10.1.1.101 255.255.255.255
set device "Site-to-Site"
next
edit 2
set dst 10.1.1.201 255.255.255.255
set device "Site-to-Site"
next
endVIP(宛先 NAT)の設定(FG02)
FG02 (vip) # show
config firewall vip
edit "FG02-to-FG01_VIP01"
set uuid 46de5290-e3e1-51e5-9e4c-5113ad1c3275
set extip 10.16.1.100
set extintf "port3"
set mappedip "10.1.1.101"
next
edit "FG02-to-FG01_VIP02"
set uuid 57875fec-e3e1-51e5-d5e3-5a9b4143d7d8
set extip 10.16.1.200
set extintf "port3"
set mappedip "10.1.1.201"
next
edit "FG01-to-FG02_VIP01"
set uuid 64d65868-e4a1-51e5-d56c-e5c69a51fc51
set extip 10.1.1.102
set extintf "Site-to-Site"
set mappedip "172.16.2.100"
next
edit "FG01-to-FG02_VIP02"
set uuid 64e18602-e4a1-51e5-1796-ec44b48db451
set extip 10.1.1.202
set extintf "Site-to-Site"
set mappedip "172.16.2.200"
next
endPolicy の設定(FG02)
FG02 (policy) # show
config firewall policy
edit 1
set name "VPN_FG02-to-FG01"
set uuid ec565c4e-e3e2-51e5-3259-c8c14fe0853c
set srcintf "port3"
set dstintf "Site-to-Site"
set srcaddr "all"
set dstaddr "FG02-to-FG01_VIP01" "FG02-to-FG01_VIP02"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "VPN_FG01-to-FG02"
set uuid f63b1ce0-e3e2-51e5-52fa-ef83a0b4e13b
set srcintf "Site-to-Site"
set dstintf "port3"
set srcaddr "all"
set dstaddr "FG01-to-FG02_VIP01" "FG01-to-FG02_VIP02"
set action accept
set schedule "always"
set service "ALL"
next
endPolicy の設定(FG02)GUI版
確認
SV01(172.16.1.100)から SV02(10.16.2.100(VIP))へ Pingを実行時、172.16.1.100は、10.1.1.101に送信元NATされ、10.16.2.100は、10.1.1.102に宛先NATされています。
FG01 # diagnose debug enable FG01 # diagnose debug flow trace start 20 id=20085 trace_id=2436 func=print_pkt_detail line=4696 msg="vd-root received a packet(proto=1, 172.16.1.100:61476->10.16.2.100:8) from port3. code=8, type=0, id=61476, seq=1207." id=20085 trace_id=2436 func=resolve_ip_tuple_fast line=4760 msg="Find an existing session, id-0002fbcc, original direction" id=20085 trace_id=2436 func=ipv4_fast_cb line=53 msg="enter fast path" id=20085 trace_id=2436 func=ip_session_run_all_tuple line=5825 msg="DNAT 10.16.2.100:8->10.1.1.102:61476" id=20085 trace_id=2436 func=ip_session_run_all_tuple line=5813 msg="SNAT 172.16.1.100->10.1.1.101:61476" id=20085 trace_id=2436 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-Site-to-Site" id=20085 trace_id=2436 func=esp_output4 line=846 msg="IPsec encrypt/auth" id=20085 trace_id=2436 func=ipsec_output_finish line=496 msg="send to 10.1.1.2 via intf-port2"