Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
haljawhari
Staff
Staff

Created on ‎09-17-2009 07:35 AM Edited on ‎03-30-2025 01:47 PM By Community Manager

Article Id 197580

Technical Tip: Use of IPPool to NAT traffic with a different IP than the FortiGate public (external) IP address

Description The article describes a solution for the following scenario:

                                   FGT external IP
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
                                   Other external IP

The requirement is that all traffic from the Server to the Internet uses a different source IP than the FortiGate public IP. In this case, one or more public (external) IP addresses have been provided by the ISP, and the solution is based on IP Pool.
Scope FortiGate
Solution

Example:

The following addresses are used in this example:

  • FortiGate WAN interface (port1) external IP : 192.168.183.110
  • Another IP address (192.168.183.111) is provided by the ISP and that must be used to source NAT the traffic of the configuration:


                                           External IP 192.168.183.110
              10.160.1.10      port2       port1
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
                                           Source NAT
                                           to 192.168.183.111

 

CLI Configuration:

 

config system interface
    edit "port1"
        set ip 192.168.183.110 255.255.254.0
end

config firewall ippool
    edit "Server_EXT_IP"
        set endip 192.168.183.111
        set startip 192.168.183.111
end

config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set ippool enable
        set poolname "Server_EXT_IP"
        set schedule "always"
        set service "ANY"
        set nat enable
end

Verification with a sniffer trace (on HTTP traffic for example).

FGT # diagnose sniffer packet any "port 80" 4
30.690038 port2 in 10.160.1.10.1310 -> 192.168.183.254.80: syn 2092282704
30.690106 port1 out 192.168.183.111.58810 -> 192.168.183.254.80: syn 2092282704

The output shows that the traffic egressing through port1 is sourced with the IP address defined the IP Pool and Firewall Policy.

Note:
FortiGate supports 4 types of IPPool including overload, one-to-one, fixed port range and port block allocation. Refer to this document for more information: Technical Tip: How to configure SNAT with IP pool - Fortinet Community.
Labels:
20457
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.