Description | This article describes the steps for resolving the error 'Cannot enable central-nat error with firewall policy using ippool'. |
Scope | FortiGate. |
Solution |
While trying to enable the Central NAT setup on the firewall there should not be any reference for any IP Pool configured on the firewall. If the IP Pool is configured on the firewall and is referenced on the firewall policy it shows the below error message while trying to enable the central-nat on the firewall.
The above error message shows the policy ID, where the IP Pool is referenced. If there are multiple IP Pool configured on the firewall then the reference can be viewed under 'Policy&Objects -> IP Pools' as shown below.
Selecting the reference number will show all the policies where it is referenced so it will be easier to locate and remove the IP Pool object.
The above error is expected while enabling Central NAT as it will change the application of VIP and IP Pool and any reference made to these objects needs to be removed before configuring the Central NAT.
There will be a similar error if there is any VIP applied to the firewall policy.
So before enabling central-nat, remove all the references to the NAT and IP Pool configured on the firewall and thereafter run the below commands and it should not show any error message.
FGT # config sys settings FGT (settings) # set central-nat enable FGT (settings) # end |