Skip to main content
laf
laf
New Member
October 19, 2015
Question

Fixed NAT pool

  • October 19, 2015
  • 1 reply
  • 7620 views

Hi guys,

 

I setup a firewall rules with a fixed range of IP addresses as source traffic toward a large group of IPs as destination and NAT (sNAT) using a fixed range of IP addresses too.

 

The two ranges of IPs are equal:

 

Here's the FW rule:

edit 53 set srcintf "LANs" set dstintf "VPNinterface" set srcaddr "LAN_pool" set dstaddr "VPN_ENC" set action accept set schedule "always" set service "ALL" set nat enable set fixedport enable set ippool enable set poolname "VPN_pool" next

 

Here are the objects definition:

config firewall address edit "LAN_pool" set type iprange set associated-interface "LANs" set start-ip 172.25.3.196 set end-ip 172.25.3.209 next end

config firewall ippool edit "VPN_pool" set type one-to-one set startip 192.168.3.196 set endip 192.168.3.209 next end

 

How can I make sure 172.25.3.199 always uses 192.168.3.199 and so on: .200 to .200...

 

Thanks in advance!

P.S. I found this on KB, still I find it a bit weird. Anyone used it?

    1 reply

    rwpatterson
    rwpatterson
    New Member
    October 19, 2015

    I used it in the past, a very long time ago. It worked as designed. If it would help you sleep better at night, make IP reservations ensuring that the right IPs are associated with the right MACs and only those units will get out with their IP addresses.

    laf
    lafAuthor
    New Member
    October 19, 2015

    Thanks Bob, always at duty here!

     

    Now I downloaded Fortigate-CLI 5.2 and found this at page 124:

     

    type {one-to-one | overload | fixed-port-range | port-block-allocation}

    Select the type of IP pool:

    one-to-one — one-to-one mapping

    overload — clients can share pool IP addresses

    fixed-port-range — fixed mapping of source-startip / source-endip range to startip / endip range.

     

    Now what do you think of this configuration:

    config firewall ippool edit "VPN_pool" set type fixed-port-range set startip 192.168.3.196 set endip 192.168.3.209 set source-startip 172.25.3.196 set source-endip 172.25.3.209 next end

     

    Will it work?

    It's 7 pm here and although I placed a sniffer can't see any traffic as people left the office. 

    Terms & ConditionsAccessibility statement