Skip to main content
peanut
peanut
New Member
September 10, 2015
Solved

Source Address after NAT wrong

  • September 10, 2015
  • 1 reply
  • 6244 views

Hi

 

I migrated over to my HA Fortigate 100D setup from my Cisco Router.

 

What I have noticed is that with external requests going to my internal NAT server, is it is showing that the external connection is made from the VLAN interface IP address instead of the original external Source IP.

 

this is a bit frustrating because some Linux machines behind the fortigates are blacklisting the interface address due to failed hack attempts because it all seems to come from one address -- hope this makes sense.

 

so an external requests looks like its coming from the interface address 192.168.30.254 and not the original source public address of 41.xxx.xxx.xxx etc.

 

hope this is just me making a noob mistake on the new toys...

 

    Best answer by gschmitt

    Go to Policy&Objects > IPv4 > Policies and look for your wan to VLAN/internal policy

    Double click it

    Set NAT to OFF

     

    NAT or Network Address Translation literally takes the TCP/UDP package, changes the Source Address with a set (or the interfaces) IP address.

    This is useful when going into external networks, i.e. when I access a website I want my NAT device to exchange my 192.168.1.1 IP with my external 88.77.66.55 IP or the webserver will ignore my request since 192.168.1.1 is a private IP and the package (martian package) literally can't find it's way back to me and will be discarded.

    But on external > Internal policies it's best to leave it off, so the original IP will be transmitted.

    1 reply

    gschmitt
    gschmittAnswer
    New Member
    September 10, 2015

    Go to Policy&Objects > IPv4 > Policies and look for your wan to VLAN/internal policy

    Double click it

    Set NAT to OFF

     

    NAT or Network Address Translation literally takes the TCP/UDP package, changes the Source Address with a set (or the interfaces) IP address.

    This is useful when going into external networks, i.e. when I access a website I want my NAT device to exchange my 192.168.1.1 IP with my external 88.77.66.55 IP or the webserver will ignore my request since 192.168.1.1 is a private IP and the package (martian package) literally can't find it's way back to me and will be discarded.

    But on external > Internal policies it's best to leave it off, so the original IP will be transmitted.

    peanut
    peanutAuthor
    New Member
    September 10, 2015

    thank you!!

     

    knew it was something easy.

    Terms & ConditionsAccessibility statement