Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hhasny
Staff
Staff

Created on ‎11-16-2025 11:47 PM

Article Id 417999

Technical Tip: Using VIP range with static DNAT one-to-one mapping from external to internal

Description This article describes the configuration example of using a VIP range to map a 1:1 DNAT IP address from external to internal.
Scope FortiGate.
Solution

In this example, each internal server is mapped to a unique public IP using FortiGate Virtual IP (VIP) configured for static 1:1 DNAT.

 

Diagram.png

 

External users can reach these servers by connecting to the corresponding addresses within the VIP range:

VIP Address Internal IP Address
10.47.21.1 10.201.5.11
10.47.21.2 10.201.5.12
10.47.21.3 10.201.5.13

 

DNAT ConfigurationDNAT Configuration

 

Below is the session list

 

diagnose sys session list

session info: proto=1 proto_state=00 duration=5 expire=54 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 f02
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->12/12->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.111.36.24:1->10.47.21.2:8(10.201.5.12:1)
hook=post dir=reply act=snat 10.201.5.12:1->10.111.36.24:0(10.47.21.2:1)
misc=0 policy_id=2 pol_uuid_idx=15859 auth_info=0 chk_client_info=0 vd=0
serial=00073541 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

session info: proto=1 proto_state=00 duration=8 expire=51 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 f02
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->12/12->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.111.36.24:1->10.47.21.1:8(10.201.5.11:1)
hook=post dir=reply act=snat 10.201.5.11:1->10.111.36.24:0(10.47.21.1:1)
misc=0 policy_id=2 pol_uuid_idx=15859 auth_info=0 chk_client_info=0 vd=0
serial=0007353c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

session info: proto=1 proto_state=00 duration=3 expire=56 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 f02
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 18/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->12/12->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.111.36.24:1->10.47.21.3:8(10.201.5.13:1)
hook=post dir=reply act=snat 10.201.5.13:1->10.111.36.24:0(10.47.21.3:1)
misc=0 policy_id=2 pol_uuid_idx=15859 auth_info=0 chk_client_info=0 vd=0
serial=00073549 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session: 3

 

95
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.