Fortigate One-to-One Natting for Internal Server

Forum|Forum|6 years ago
March 16, 2020
1 reply
5735 views

Hi All,

A small query . We have a scenario where we have to do One-to-One NAT for our trusted zone server IP on Fortigate firewall.

Eg: Servers Actual IP : 10.10.10.100/24 , 10.10.10.150/24 , 10.10.10.200/24 , 10.10.10.250/24

We have Taken a Pool for NATTING which is as : 192.168.100.0/24

Would like to NAT as:

Server-1(10.10.10.100) with 192.168.100.100

Server-2(10.10.10.150) with 192.168.100.150

Server-3(10.10.10.200) with 192.168.100.200

Server-4(10.10.10.250) with 192.168.100.250

Do we need to configure any Gateway for NAT Subnet (i.e. 192.168.100.0/24) and can directly go and NAT one-to-one or anything additional....on fortigate ?

I know that at remote end we have to do routing for 192.168.100.0/24 towards Fortigate end

Diagram attached for reference

Fortigate Natting Diagram.jpg

Toshi_Esumi

SuperUser

I sense something isn't right in your description. Why do those servers access IPs need to be in the same subnet with all clients? That's very unusual. And it might cause some routing issue on the remote end router (even if not right now then in the future when somebody inherits the management of network).

With the FGT, you just need to set DNAT(VIP) for those 4 IPs.

ede_pfau

SuperUser

"NATting is poor man's routing", one of my beliefs. Not always but often.

In fact, this setup would usually be solved with plain routing. An exact 1:1 NAT in both directions (DNAT and SNAT) is not so simple. There is a KB article about using VIPs for this.

jsrAuthor

New Member

:-)) Yeah, I know...But this is requirement.

Could you please suggested, if there is any gateway need to be configure for NAT IP Pool, Or we straight away go for One-2-one to DNAT(VIP).

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded