Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
haljawhari
Staff
Staff

Created on ‎09-17-2009 07:35 AM Edited on ‎12-16-2021 01:39 PM By Anonymous

Article Id 197580

Technical Tip: Use of IPPool to NAT traffic with a different IP than the FortiGate public (external) IP address

Description

The article describes a solution for the following scenario:
                                   FGT external IP
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
                                   Other external IP
The requirement is that all traffic from the Server to the Internet uses a different source IP than the FortiGate public IP.  In this case, one or more public (external) IP addresses have been provided by the ISP, and the solution is based on IP Pool.


Solution

Example.

The following addresses are used in this example:
 
•     FortiGate WAN interface (port1) external IP : 192.168.183.110
•     Another  IP address (192.168.183.111) is provided by the ISP and that must be used to source NAT the traffic of the Server : 10.160.1.10
                                           External IP 192.168.183.110
              10.160.1.10      port2       port1
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
                                           Source NAT
                                           to 192.168.183.111


CLI Configuration

# config system interface
    edit "port1"
        set ip 192.168.183.110 255.255.254.0
end

# config firewall ippool
    edit "Server_EXT_IP"
        set endip 192.168.183.111
        set startip 192.168.183.111
end

# config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set ippool enable
        set poolname "Server_EXT_IP"
        set schedule "always"
        set service "ANY"
        set nat enable
end
Verification with a sniffer trace (on HTTP traffic for example).
FGT # diagnose sniffer packet any "port 80" 4
30.690038 port2 in 10.160.1.10.1310 -> 192.168.183.254.80: syn 2092282704
30.690106 port1 out 192.168.183.111.58810 -> 192.168.183.254.80: syn 2092282704
The output shows that the traffic egressing port1 is sourced with the IP address defined the IP Pool and Firewall Policy.
Labels:
19843
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.