Skip to main content
sajiby3k
sajiby3k
New Member
January 2, 2019
Question

Fortigate own ip and source nat

  • January 2, 2019
  • 2 replies
  • 12489 views

I have a very simple setup. One foetigate with 2 interface lan - 192.168.2.1/24 and wan with ip for example - 172.34.1.1. For reaching internet from lan I have created the firewall policy with source nat. It works. I want to test it from foetigate's own ip. When I do - Execute ping-options source 192.168.2.1 Execute ping 8.8.8.8 I am getting no reply. From debug and packet capture seeing that source nat is not applied. Is it intended by design that foetigate's own ip is excluded from nat? Or I am missing something.

    2 replies

    sajiby3k
    sajiby3kAuthor
    New Member
    January 24, 2019

    Not anyone can help me with this information.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 24, 2019

    No of course that's not intended.

    I am puzzled as to what is causing this. Selecting the source IP address tells the FGT which interface to use and which route. Actually, I have no idea how SNAT is applied then but it works every time without special configuration.

     

    Please double check that you specify the (LAN) interface IP as source IP.

    rwpatterson
    rwpatterson
    New Member
    January 24, 2019

    I was under the impression that the source IP field populated the source IP (duh), and then attempted to get to whatever destination from that interface. Since the default gateway out is on another interface, I would believe that the traffic MAY flow out the 172.x.x.x interface, but not being translated and the bogon is dropped by the ISP. LAN traffic on the 192.168.x.x network is passing the policies and being NATted so they work. The FGT isn't using the policies, so PINGs fail. In my mind, works as expected.

    Zedisdead
    Zedisdead
    New Member
    November 25, 2024

    VPN, SNAT with a policy, testing from the box fails, because the box is not applying ANY policy to its own traffic, which is stupid, because I have no option to test stuff from the box itsel even if i specify the source interface or IP.
    Firewall checks my traffic: "Oh.. What is this... Traffic from this source IP, that has a FW policy with SNAT pool attached? Oh, i know, lets just blast it out of an interface that has the route to it, without hitting any policy, because why not?!"

    Terms & ConditionsAccessibility statement