Skip to main content
pbarbieri
pbarbieri
Visitor III
September 16, 2022
Solved

VIP NAT

  • September 16, 2022
  • 1 reply
  • 5347 views

Hi,

I have to Source NAT two  voip phones connected by a LAN (A_LAN) with a Fortinet 600D firewall port to speak with a Call Manager and viceversa. I have create a VIP definition and a policy for it. After NAT process the packets sent by phones will address some GRE tunnels. I would like to know if the syntax is ok or in the VIP definition I have to add "set nat-source-vip enable" in the VIP definition or further policies in the firewall policy or use IP pools

 

---------------

VIP definition

---------------

    edit "A_VOIP_PHONE_1"

        set uuid 329a7a02-a3db-51ea-a515-68fab7d1ce5f

        set extip 10.1.180.171

        set mappedip "10.18.1.171"

        set extintf "any"

    next

    edit "A_VOIP_PHONE_2"

        set uuid 329ad952-a3db-51ea-dea5-7de08db5ef41

        set extip 10.1.180.172

        set mappedip "10.18.1.172"

        set extintf "any"

    next

----------------

Policy Definition

----------------

edit 3

        set name "A_AD_VOIP"

        set srcintf "A_LAN"

        set dstintf "GRE-AD-211" "GRE-AD-213"

        set srcaddr "A_VOIP_PHONE_1" "A_VOIP_PHONE_2"

        set dstaddr "A_CALL_MANAGER"

        set action accept

        set schedule "always"

        set service "SIP" "A_RTP"

        set nat enable

    next

 

 

thanks

Best answer by gfleming

Well for Source NAT, yes you would use policy ID 3 to configure the appropriate NAT settings (Likely dynamic one-to-one SNAT).

 

If you have a policy for traffic coming from the CallManager and you need to reach the phones (i.e. not just return traffic that was initiated by the phones) then you also need to do DNAT. This is where VIPs come into play.


See here for more info: https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/510402/static-virtual-ips

 

May I ask one question? Why do you need to use NAT here? Why can you not just route the packets directly to/from the phones?

1 reply

gfleming
Staff
gfleming
Staff
September 16, 2022

For source NAT you do not need to configure VIPs. Just set the NAT configuration in the Firewall policy for Source NAT.

 

Some more info:

https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/29961/dynamic-snat

pbarbieri
pbarbieriAuthor
Visitor III
September 16, 2022

Thanks for your support Graham!,

does this mean that can use the policy created with GRE tunnels in case modify them (I have two, one for each direction see in the example one of them), or create further policies ? 

gfleming
Staff
gflemingAnswer
Staff
September 16, 2022

Well for Source NAT, yes you would use policy ID 3 to configure the appropriate NAT settings (Likely dynamic one-to-one SNAT).

 

If you have a policy for traffic coming from the CallManager and you need to reach the phones (i.e. not just return traffic that was initiated by the phones) then you also need to do DNAT. This is where VIPs come into play.


See here for more info: https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/510402/static-virtual-ips

 

May I ask one question? Why do you need to use NAT here? Why can you not just route the packets directly to/from the phones?

Terms & ConditionsAccessibility statement