Technical Tip: Use of IPPool to NAT traffic with a different IP than the FortiGate public (external) IP address

Example:

The following addresses are used in this example:

• FortiGate WAN interface (port1) external IP : 192.168.183.110
• Another IP address (192.168.183.111) is provided by the ISP and that must be used to source NAT the traffic of the configuration:

                                           External IP 192.168.183.110
              10.160.1.10      port2       port1
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
                                           Source NAT
                                           to 192.168.183.111

CLI Configuration:

config system interface
    edit "port1"
        set ip 192.168.183.110 255.255.254.0
end

config firewall ippool
    edit "Server_EXT_IP"
        set endip 192.168.183.111
        set startip 192.168.183.111
end

config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set ippool enable
        set poolname "Server_EXT_IP"
        set schedule "always"
        set service "ANY"
        set nat enable
end

Verification with a sniffer trace (on HTTP traffic for example).

FGT # diagnose sniffer packet any "port 80" 4
30.690038 port2 in 10.160.1.10.1310 -> 192.168.183.254.80: syn 2092282704
30.690106 port1 out 192.168.183.111.58810 -> 192.168.183.254.80: syn 2092282704

The output shows that the traffic egressing through port1 is sourced with the IP address defined the IP Pool and Firewall Policy.

Note:
FortiGate supports 4 types of IPPool including overload, one-to-one, fixed port range and port block allocation. Refer to this document for more information: Technical Tip: How to configure SNAT with IP pool - Fortinet Community.