Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- 1 to 1 nat vip
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1 to 1 nat vip
Hello guys i have a fortigate 100d. I think it is a simple deal but i wanted to confirm either way. I have a phone system that is receiving sip traffic for telco. This telco system was connected directly to the net with a public address. I wanted to bring the phone system behind the firewall and nat all traffic to it. Please let me know if this is the right way to do it
FG100d
7.7.7.7 255.255.255.252
telco
7.7.7.8 255.255.255.252
First i would setup a vip like so External IP Address/Range 7.7.7.8-7.7.7.8 with a mapped internal address to 192.168.1.5-192.168.1.5
config firewall vip edit "Cisco-SIP" set extip 7.7.7.8 set extintf "wan1" set mappedip "192.168.1.5-192.168.1.5" next
edit 4 set srcintf "wan1" set dstintf "lan" set srcaddr "all" set dstaddr "Cisco-SIP" set action accept set schedule "always" set service "Cisco-Phones" next
FGT100D # show firewall service custom config firewall service custom
edit "Cisco-Phones" set category "VoIP, Messaging & Other Applications" set tcp-portrange 5090:0-65535 5000:0-65535 set udp-portrange 9000-9049:0-65535 5060:0-65535 5090:0-65535 next
- « Previous
-
- 1
- 2
- Next »
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede gave a good example of inbound ( DNAT ) but the following policy as addressed will not be a 1-2-1nat
set srcintf "lan" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "AV" set ips-sensor "IPS" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable
The would not SNAT to the same address of the VIP as stated. What I would do ( just another option ) is to build a ip pool and defined that in your policy for traffic you allow outbound from the pbx point of view.As rwpatterson pointed out that policy is to broad unless that's what your intentions are but I would at least specifiy the srcaddr of the pbx and the services you want.
e.g
config firewall ippool edit "MYPBX" set startip 7.7.7.8 set endip 7.7.7.8 set comments "121-snat mypbx"
set type one-to-one next
than you apply this in the policy specifiy the PBX server;
config firewall addr
edit MYPBX_priv
set subnet 192.168.1.5/32
end
config firewall policy
edit 0
set srcintf "lan" set dstintf "wan1" set srcaddr "MYPBX_priv" set dstaddr "all" set action accept set schedule "always" set service "ALL"
set action accept
set utm-status disable set ssl-ssh-profile "certificate-inspection"
set nat enable
set poolname "MYPBX"
end
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i chatted with support
Emran (09:19:43): Yes, you need to create a policy from lan to wan Emran (09:19:58): and NAT it to 7.7.7.8 IP address
Emran (09:23:00): First you need to create an ippool Emran (09:23:18): Firewall Object -> Virtual IP - > IP pools Emran (09:23:30): Create New Emran (09:23:37): Type: Overload Emran (09:23:56): EXternal IP range : 7.7.7.8-7.7.7.8 Emran (09:24:06): ARP reply : check Emran (09:25:34): Then create a policy Emran (09:25:37): LAN to WAN Emran (09:25:50): Enable NAT and select the ippool that you created
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, the question is whether traffic originating from the internal PBX is NATted by the VIP. I would guess 'no' as you need an additional outbound policy. Use an IP pool with just 1 address to enforce source NAT.
In the inbound policy, you don't need to use an IP pool or enable "nat-source-vip". That was what I wanted to make a point of.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed and traffic will only be nat ( SNAT ) by whatever policies you enable and after the route-selection and outgoing interfaces has been determine. This is why you have to fully understand both SNAT and DNAT and packet flow from a fortinet point of view. I remember fortinet back in the mid 2000s used to have a pdf called "life of a packet" or something to that effect. For FCNSA they had numerous questions pertaining to this on the exam also ;)
A VIP has nothing to do with DNAT outside of services allowed from the inbound rule and returned traffic.
fwiw: the diag debug flow is a magical tool for understanding this process.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First section in this doc is called "Life of a Packet". It's a great troubleshooting resource that I have referenced many times!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the doc. Nice to have a good resource to reference for troubleshooting.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAdmin you the Man.
I would give you a few thumbs but I only have 2 hands 7 don't know howto add thumbs in this reply ;)
At one time I remember like a decade ago, the fortitrainers used to make all candidates going thru fortigate basic 101 study that and the ingress vrs egress and how DNAT is totally determine differently than SNAT.
I highlight the main items on this page within that section you pulled out. And attached it here. This is why diag debug flow will teach you good flow construction across a fortigate. In fact these 2 process are very similar to iptables chains for pre-routing ( DNAT ) vrs post-routing ( SNAT ) .
DNAT in a fairness has very little to do with routing , while SNAT can only be determine after we've made a route-lookup ( pending RPF checks pass/fail ) and have determine which interface to go out of.
Packets handled by the VIP will always return by the policies that allowed the packet in the flow ( unless you have something else screwing up the fwpoliciy(s) ) . But traffic in a flow source from the inside has very little to do with the external facing VIP. You can indeed have services static-map or port-forward into a DNAT , but yet have traffic "sourced" from the server SNAT'd via a different source address ( nat-overload-interface, ippool,etc....)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The other obvious path you could take for the outbound nat is to build a one-to-one ip pool with the public ip of 7.7.7.8 and then in your outbound policy for the phone system, set the nat to use the ip pool.
- « Previous
-
- 1
- 2
- Next »
Labels
-
FortiGate
10,510 -
FortiClient
2,135 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
674 -
5.4
638 -
FortiSwitch
578 -
FortiAP
558 -
FortiClient EMS
551 -
6.0
416 -
IPsec
411 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
277 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
126 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
FortiSandbox
53 -
fortilink
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2549 | |
| 1356 | |
| 795 | |
| 646 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.