Skip to main content
71F6B385D38F
71F6B385D38F
New Member
November 29, 2016
Solved

WAN Interface with multiple IP addresses, VIPs and outbound NAT

  • November 29, 2016
  • 1 reply
  • 33891 views

Hi,

see attachment for an overview of my scenario. Using Fortigate 92D on 5.4.1. Configuration was done via GUI.

 

I have one WAN interface with multiple public IP addresses available and a DMZ with a few servers that all listen on 443, plus SSLVPN listen on the primary address (10.10.10.116). I configured 4 additional secondary IP addresses on the WAN interface (10.10.10.117 - 10.10.10.120). I created VIPs to map those addresses to the internal addresses of my servers, and inbound IPv4 policies to allow traffic on those VIPs. Everything is working so far as intended. 

 

Now I'm trying configure outbound NAT for those servers, and this is where I'm not sure which configuration would be considered best practice. I would like that all outbound traffic of each server is NATed to the same IP address that is used for the inbound VIPs (10.10.10.117 - 10.10.10.120).

 

[ul]
  • I created 4 overload IP Pools (one for each external address)
  • I created 4 IPv4 Policies DMZ -> WAN, from the internal IP addresses to any, NAT enabled using the corresponding IP Pool
  • I placed those policies above less specific policies outbound NAT enabled policies[/ul]

    Is this considered best practice? It seems to accomplish what I want, one dedicated external IP address for all inbound / outbound traffic per server on the same WAN interface.

     

    I'm asking because I'm not sure if it's okay to configure an IP pool for the same IP address that is configured as a secondary IP address on an interface.

     

    If I do not configure any secondary IP addresses on the interface and configure an overload IP pool e.g. for 10.10.10.126/32, I can't use this IP address as secondary IP address anymore, because I get the following error message (via GUI):

     

     

     

    If I set the secondary IP first and create the IP pool later, I don't get an error message. So it seems that I have "tricked" the GUI by accident. 

     

    Any advice would be greatly appreciated!

    Thanks

     

     

      • Best answer by Nils

      But it's not wrong to configure NAT-pools the way you did, the result is the same.

      So keep it as it is, if it's working.

      Just dont add any secondary ip-addresses on the physical interface.

      1 reply

      Nils
      Nils
      New Member
      November 29, 2016

      Why are you creating a secondary IP-address on the interface?

       

      I know there's a command under the VIP in CLI that makes your servers use that VIP address for outgoing traffic as well. Here it is "set nat-source-vip enable".

      Not sure if this command applies to 5.4.

       

       

      71F6B385D38F
      71F6B385D38FAuthor
      New Member
      November 29, 2016

      Hi,

       

      I configured secondary IP addresses, because I assumed I had to in order create VIPs.

      Will nat-source-vip enable apply to all outgoing traffic, or just the ports configured in the VIP?

      Nils
      Nils
      New Member
      November 29, 2016

      Alright, when you create a VIP you also make the Firewall listen to that ip on the port you specify in the VIP.

      It also relpies to ARP for that IP, so you dont have to create a secondary IP.

       

      Ah you created Port-forwarding? 

      This command should make a 1:1 Static nat, so I'm not sure if you should use it in combination with port-forwarding.

       

       

      Terms & ConditionsAccessibility statement