Skip to main content
Jay_Libove
Jay_Libove
New Member
October 16, 2013
Question

NAT outgoing traffic behind 2nd IP on interface?

  • October 16, 2013
  • 6 replies
  • 9193 views
FortiOS 5.0.4 on a FG100D. I want to NAT traffic coming from a specific internal subnet beind the 2nd IP on a particular Internet facing interface of the FG. In the GUI, there' s two options, one I check the box for " Enable NAT" : x Use Destination Interface Address [ _ Fixed Port] _ Use Dynamic IP Pool I assume that " Use Destination Interface Address" will always use the primary IP of the destination (outgoing Internet facing) interface. Docs show that " Fixed port" relates to the source port not being changed, not to which IP is used to hide the traffic. I guess in theory I could use a Dynamic IP Pool (of the one single address, which is the 2nd IP address of the outgoing Internet facing interface), but it feels a bit off. In the CLI, I see a " set natip" option, but the docs describe that as setting up 1-to-1, and my desire here is to do typical many-to-1 NAT, just choosing a different specific 1 IP behind which to NAT all the traffic. How to? thanks! -Jay

    6 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 16, 2013
    Don' t hesitate, just go ahead with an IP pool of just one address - r.x.y.z/32. An IP pool is just an entry in the NAT table, there is no other action connected to it. It is doing source NAT just the way you need it here. And you' re right with assuming that ' Use Destination Interface Address' will always use the primary IP address on that interface.
    Jay_Libove
    Jay_LiboveAuthor
    New Member
    October 16, 2013
    Thanks Ede. I' ll use the ' Dynamic IP Pool' option. So, what does the ' set natip' do, if the size of the range of addresses to be hidden is much much larger than the range (or single IP address) specified in the ' set natip' command?
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 16, 2013
    It will reuse the pool from the beginning, using different source ports. Each unique source then is identified by the source port used in the NAT.
    Jay_Libove
    Jay_LiboveAuthor
    New Member
    October 21, 2013
    Hi ede_pfau,
    It will reuse the pool from the beginning, using different source ports. Each unique source then is identified by the source port used in the NAT.
    I apologise, I' m still confused about the relationship between the (GUI) Enable NAT -> Use Dynamic IP Pool setting, and the (CLI) set natip setting. It sounds like they do the same thing, but they evidently configure different parameters, because the GUI Enable NAT -> Use Dynamic IP Pool setting calls on firewall objects, whereas the set natip setting takes a literal IP address (range). How do these two interact? What are the pros/cons of each, and guidance on when to choose one or the other? thanks,
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 21, 2013
    No, these options do not have the same functionality, not even the same context. ' set natip' refers to NAT in an IPsec VPN policy (policy mode). If set, the source address of traffic is translated to the specified IP address (or the outbound interface' s address if ' 0.0.0.0' ) before entering the VPN tunnel. IP pools is the way to go for you. Setting it up and testing should not take longer than 10 minutes.
    Jay_Libove
    Jay_LiboveAuthor
    New Member
    October 28, 2013
    Thanks very much Ede. I wish this stuff were easier to find and understand in the FortiNet docs :-( -Jay
    Terms & ConditionsAccessibility statement