Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rahulkaushik-22
Staff
Staff

Created on ‎07-23-2024 11:15 AM

Article Id 327500

Technical Tip: How to source NAT into an outgoing interface IP when a VIP exists

Description This article describes how to source NAT into an outgoing interface IP when a VIP exists.
Scope All supported versions of FortiGate.
Solution

Virtual IPs can affect an outbound NAT, even when they are not selected in an outbound firewall policy. 

If no virtual IPs are configured, FortiGate applies traditional outbound NAT to connections from private IP addresses to public network IP addresses. 

However, if virtual IP configurations exist, the FortiGate uses the virtual IPs’ inbound NAT mappings in reverse to apply outbound NAT, causing IP address mappings for both inbound and outbound traffic to be symmetric. 

 

When the VIP is configured on any interface:

 

Reverse the SNAT and nat-source-vip option. See this article.

 

When VIP is configured on a specific interface and nat-source-vip is disabled.  In this case, the firewall uses an outgoing interface IP rather than a VIP.

 

For example:

 

Topology:

 

Client: 10.10.10.2 -------------(10.10.10.1)port1FGT--DMZ(10.10.20.1)-----------------Server (10.10.20.2) 

 

config firewall vip 

    edit "DMZ-Server" 

        set type static-nat 

        set extip 10.10.10.1 

        set mappedip "10.10.20.2" 

        set extintf "internal" <- VIP on internal interface.

        set nat-source-vip disable <- Disabled.

        set portforward disable 

    next 

end 

 

Relevant firewall policy where NAT is selected as the outgoing interface:

 

config firewall policy 

    edit 2 

        set name "LAN-Internet" 

        set uuid 97390420-3f94-51ef-29d6-9e2a2d4a937d 

        set srcintf "DMZ-Server" 

        set dstintf "virtual-wan-link" 

        set action accept 

        set srcaddr "DMZ_Server" 

        set dstaddr "all" 

        set schedule "always" 

        set service "ALL" 

        set logtraffic all 

        set nat enable <- Configured as the outgoing interface.

    next 

end 

 

The following sniffer shows traffic took an outgoing interface for SNAT rather than a VIP when nat-source-vip was disabled:

 

dia sniffer packet any ' host 1.1.1.1 and icmp' 4 20 

interfaces=[any] 

filters=[ host 1.1.1.1 and icmp] 

1.005127 DMZ-Server in 10.10.20.2 -> 1.1.1.1: icmp: echo request 

1.005159 wan2 out 10.9.32.5 -> 1.1.1.1: icmp: echo request 

1.015775 wan2 in 1.1.1.1 -> 10.9.32.5: icmp: echo reply 

1.015791 DMZ-Server out 1.1.1.1 -> 10.10.20.2: icmp: echo reply 

 
This is necessary when an IP pool can't created because the outgoing interface is dynamic.
919
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.