Skip to main content
Eric_Lackey
Eric_Lackey
New Member
February 17, 2015
Solved

Specify NAT source IP

  • February 17, 2015
  • 5 replies
  • 15180 views

We use VIPs to port forward traffic to our web servers. When we enable NAT on the policy, it uses the internal network interface IP address as the source IP. Is it possible to specify a secondary IP address as the NAT source rather than the interface default?

 

 

    Best answer by ede_pfau

    It's either - or. The IP pool will only be used if you enable NAT in the policy. If you don't then the VIP will be used to mask the true source IP of that server (the server specified in the VIP).

    Again, IMO you would only use an IP pool if you either had no VIP, or if other hosts behind that interface needed source NAT.

    5 replies

    Eric_Lackey
    Eric_LackeyAuthor
    New Member
    February 18, 2015

    I think I figured it out. It looks like you can use a regular dynamic IP pool for this as well.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 18, 2015

    Hi,

     

    source NAT is done via 'IP pools'. You can specify any IP address here which you want (of course, it will only make sense if it's routed back to you). You can define a subnet, a range or even a single address (/32).

     

    Note that in combination with a VIP you don't need to source NAT the traffic from the VIP target. The FGT will do that automatically for you, for reply traffic (obvious) and server originated traffic as well (not obvious).

    If other hosts in the VIP target subnet are to use the VIP as their source address there is an option you can set in the CLI.

     

    HTH.

    Eric_Lackey
    Eric_LackeyAuthor
    New Member
    February 18, 2015

    I noticed that it didn't require me to enable NAT on the policy to do the NAT translation on the VIP, but that seemed to be the only way to select an IP Pool (at least through the GUI in 5.2.2). Can you enable the IP Pool on the CLI without enabling NAT?

     

     

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    February 18, 2015

    It's either - or. The IP pool will only be used if you enable NAT in the policy. If you don't then the VIP will be used to mask the true source IP of that server (the server specified in the VIP).

    Again, IMO you would only use an IP pool if you either had no VIP, or if other hosts behind that interface needed source NAT.

    Eric_Lackey
    Eric_LackeyAuthor
    New Member
    February 18, 2015

    Thanks for your help. Just for reference, I had to use an IP Pool due to this issue > https://forum.fortinet.com/tm.aspx?m=120355. Seems to be working well as a solution.

     

     

    ashukla_FTNT
    Staff
    ashukla_FTNT
    Staff
    February 18, 2015

    Try the following under vip

    set nat-source-vip enable

     

    Create an outbound policy with nat enabled and check the behavior.

     

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 18, 2015

    well, I wouldn't...this will enable using the VIP as the source address for all hosts crossing that policy. If you ran into trouble with 8 servers then this will not be for the better.

     

    Refering to your other post, I definitely think it's a bug in FortiOS. Support should have a look into that (which would mean to open a case). Or maybe, NATting via IP pool is handled differently than NATting via interface address/VIP/promiscuous VIP.

    Eric_Lackey
    Eric_LackeyAuthor
    New Member
    February 18, 2015

    Yep, I gave support all of the packet traces and info. Hopefully they can track it down.

    Terms & ConditionsAccessibility statement