FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff
Staff
Description This article demonstrates how VIP's external IP address can be used to perform Source NAT (SNAT) when Central-NAT is enabled. The use of Virtual IP addresses is usually done to map external (public) to internal (private) IP addresses for Destination NAT (DNAT).
Scope FortiGate
Solution

Topology:

HOST <----->(LAN) FortiGate(WAN)< –----> Internet

 

SNAT with VIP and Central-NAT enabled:

CLI configuration:

1) CLI config for Central NAT.
# config system settings
set central-nat enable
end


2. Address object of the HOST.

# config firewall address
    edit "HOST"
        set subnet 10.185.3.199 255.255.255.255
    next
end


3) A firewall policy to allow Internet access for the HOST. 

# config firewall policy
    edit 1
        set srcintf "lan"
        set dstintf "wan"
        set srcaddr "HOST"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

 

4) Central SNAT Rule to NAT traffic using outgoing interface address or an IP Pool.

# config firewall central-snat-map
    edit 1
        set orig-addr "HOST"
        set srcintf "lan"
        set dst-addr "all"
        set dstintf "wan"
    next
end

 

IMPORTANT:

With Central SNAT, 'nat-source-vip' must be enabled at all times in order for FortiGate to perform Source NAT using VIP's External IP address for the traffic generated by the HOST.

# config firewall vip
    edit "VIP"
        set extip 20.1.2.3
        set extintf "wan"
        set nat-source-vip enable
        set srcintf-filter "lan"
        set mappedip "10.185.3.199"
    next
end

 

Debug Log Verification:

id=20085 trace_id=1132 func=fw_forward_handler line=749 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=1132 func=__ip_session_run_tuple line=3226 msg="SNAT 10.185.3.199->20.1.2.3:1"

Sniffer result:

4.682034 lan in 10.185.3.199 -> 8.8.8.8: icmp: echo request
4.682148 wan1 out 20.1.2.3 -> 8.8.8.8: icmp: echo request

Note: 
When port-forwarding is enabled on the VIP.
VIP's external IP will be used for SNAT only when the source port of the HOST generated traffic falls in the port range configured for VIP.

Example 1:
When a port-forwarding VIP is created to translate TCP port 80 to 80 and if the HOST is generating TCP traffic with a dynamic source port, then the SNAT will be performed using outgoing interface IP and NOT VIP external IP. 
[10.185.3.199:62189->8.8.8.8:80] - SNAT will be performed with outgoing Interface IP.

Example 2:
When a port-forwarding VIP is created to translate TCP ports 1-65535 to 1-65535 and if the HOST generates TCP traffic with a dynamic source port, then the SNAT will be performed using VIP's external IP address.
[10.185.3.199:62189->8.8.8.8:80] - SNAT will be performed with VIP's External IP.

Example 3:
When a port-forwarding VIP is created to translate TCP ports 1-65535 to 1-65535 and if the HOST generates UDP traffic, then the SNAT will be performed using outgoing interface IP and NOT VIP external IP. 
[10.185.3.199:62189->8.8.8.8:53] - SNAT will be performed with outgoing Interface IP.

 

Related Articles

Technical Note: How to resolve SNAT issue with multiple VIP mapped to the same internal IP

Technical Tip: Using VIP range for SNAT and static 1-to-1 mapping from internal to external IP addre...

Troubleshooting Tip: SNAT in a Policy with VIP

 

 

Contributors