Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
topcu
New Contributor II

SNAT precedence: DNAT with nat-source-vip enabled vs. Central SNAT policy?

Hello all,

we have configured a DNAT policy, that matches a wide /16 external IP-range to an internal IP-range. On this policy "nat-sourcer-vip" is also enabled, so that bidirectional initiation of Extranet communication is possible. One of the Hosts out of the internal range needs a seperate specific Source-NAT address for outgoing communication only. Therefore I configured a more specific Central SNAT Policy for this specific communication. But when analyzing the logs, the firewall still maps the external address of the DNAT policy to the traffic.

 

My question is, which policy has precedence for outgoing source-natted traffic, the DNAT policy with nat-source-vip enabled or the SNAT policy?

 

What other factors play a role in the selection of the SNAT address, either by SNAT or DNAT + nat-source-vip? Is there a documentation available?

 

FG3900E, Central NAT, Version 5.6.11

 

Many thanks in advance / Best regards! Hakan

0 REPLIES 0