Description

This article describes how to configure Source NAT for virtual wire pairs.

Scope

FortiOS v6.4 and later.

Solution

Source NAT (SNAT) is configurable for IPv4 and IPv6 policies with virtual wire pair (VWP) interfaces. See FortiOS 6.4.0 New Features Guide | SNAT support for policies with virtual wire pairs.

Refer below to configure a policy using SNAT and a virtual wire pair.

Create the virtual wire pair interface.

config system virtual-wire-pair
    edit "test-vw-1"
        set member "port1" "port4"
    next
end

Create the IP pool.

config firewall ippool
    edit "vwp-pool-1"
        set startip 172.16.222.99
        set endip 172.16.222.100
    next
end

• The IP pool must have a different subnet than the VWP peers.
• ARP is not supported on VWP interfaces for IP pool addresses.

Configure the policy:

config firewall policy
    edit 88
        set srcintf "port4"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "vwp-pool-1"
        set nat enable
    next
end

The settings above can also be applied in the GUI.

If Central NAT is enabled, the ippool is applied in 'config firewall central-snat-map' rather than firewall policy, and CLI must be used to configure NAT.

config firewall central-snat-map

edit 2

set srcintf "port4"

set dstintf "port1"

set orig-addr "all"

set dst-addr "all"

set nat-ippool "vwp-pool-1"

next

end

config firewall policy

edit 90

set srcintf "port4"

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

next

end

Attempting to edit the Central SNAT policy in GUI after creation will show blank Incoming and Outgoing interfaces, and it will not be possible to apply any changes using the GUI.