FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff
Staff
Article Id 209514
Description This article demonstrates how a VIP's external IP address can be used to perform Source NAT (SNAT) when Central-NAT is enabled. The use of Virtual IP addresses is usually done to map external (public) to internal (private) IP addresses for Destination NAT (DNAT).
Scope FortiGate.
Solution

Topology:

HOST <----->(LAN) FortiGate(WAN)< –----> Internet.

 

SNAT with VIP and Central-NAT enabled:

CLI configuration:

  1. CLI config for Central NAT.

config system settings
    set central-nat enable
end

 

  1. Address object of the HOST.

    config firewall address
        edit "HOST"
            set subnet 10.185.3.199 255.255.255.255
        next
    end

  2. A firewall policy to allow Internet access for the HOST. 

    config firewall policy
        edit 1
            set srcintf "lan"
            set dstintf "wan"
            set srcaddr "HOST"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next

  3. Central SNAT Rule to NAT traffic using outgoing interface address or an IP Pool.

    config firewall central-snat-map
        edit 1
            set orig-addr "HOST"
            set srcintf "lan"
            set dst-addr "all"
            set dstintf "wan"
        next
    end


    IMPORTANT: With Central SNAT, 'nat-source-vip' must be enabled at all times for FortiGate to perform Source NAT using VIP's External IP address for the traffic generated by the HOST.

    config firewall vip
        edit "VIP"
            set extip 20.1.2.3
            set extintf "wan"
            set nat-source-vip enable
            set srcintf-filter "lan"
            set mappedip "10.185.3.199"
        next
    end


    Debug Log Verification:

    id=20085 trace_id=1132 func=fw_forward_handler line=749 msg="Allowed by Policy-1: SNAT"
    id=20085 trace_id=1132 func=__ip_session_run_tuple line=3226 msg="SNAT 10.185.3.199->20.1.2.3:1"

    Sniffer result:

    4.682034 lan in 10.185.3.199 -> 8.8.8.8: icmp: echo request
    4.682148 wan1 out 20.1.2.3 -> 8.8.8.8: icmp: echo request

    Note: 
    When port-forwarding is enabled on the VIP.
    VIP's external IP will be used for SNAT only when the source port of the HOST-generated traffic falls in the port range configured for VIP.

    Example 1:
    When a port-forwarding VIP is created to translate TCP port 80 to 80 and if the HOST is generating TCP traffic with a dynamic source port, then the SNAT will be performed using outgoing interface IP and NOT VIP external IP. 
    [10.185.3.199:62189->8.8.8.8:80] - SNAT will be performed with outgoing Interface IP.

    Example 2:
    When a port-forwarding VIP is created to translate TCP ports 1-65535 to 1-65535 and if the HOST generates TCP traffic with a dynamic source port, then the SNAT will be performed using the VIP's external IP address.
    [10.185.3.199:62189->8.8.8.8:80] - SNAT will be performed with VIP's External IP.

    Example 3:
    When a port-forwarding VIP is created to translate TCP ports 1-65535 to 1-65535 and if the HOST generates UDP traffic, then the SNAT will be performed using outgoing interface IP and NOT VIP external IP. 
    [10.185.3.199:62189->8.8.8.8:53] - SNAT will be performed with outgoing Interface IP.

Related Articles:
Technical Note: How to resolve SNAT issue with multiple VIP mapped to the same internal IPTechnical Tip: Using VIP range for SNAT and static 1-to-1 mapping from internal to external IP addre...
Troubleshooting Tip: SNAT in a Policy with VIP