Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adanio
New Contributor

Change Destination ip

Hello 

I'm new to the forum and also to Fortinet products. 

I've a customer that have a  request that i couldn't find an answer online. 

our scenario:  

In our network the lan interfaces are lan and lan2 and the ip is 172.16.x.x, wan port is our internet 

My customer want when he telnet to 10.0.0.x the packet will get to fortigate and the destination ip will change from 

10.0.0.x to legal ip on the internet 34.x.x.x and also the source ip change with NAT. 

I've tried many things and the last one was using VIP and configure the incoming interface as lan and have a policy from lan to wan where the source ip is 172.16.0.0 and destination is 10.0.0.x. 

we have 100D, ver 5.2.8

 

Does anyone knows if this is possible and how to accomplish this? 

Thanks 

 

1 Solution
Nils
Contributor II

Where is the 10.0.0.x network located?

Sounds like an odd solution..

 

Create a VIP with LAN as incoming interface, 17.16.x.x as source network and 10.0.0.x as external then 34.x.x.x as mapped ip.

Create a policy with the VIP as destination and also make sure that check the NAT checkbox in the policy.

Maybe you'll have to create an IP-Pool with the source ip to use for the nat, specify this ip-pool in the policy under NAT.

 

 

View solution in original post

4 REPLIES 4
Nils
Contributor II

Where is the 10.0.0.x network located?

Sounds like an odd solution..

 

Create a VIP with LAN as incoming interface, 17.16.x.x as source network and 10.0.0.x as external then 34.x.x.x as mapped ip.

Create a policy with the VIP as destination and also make sure that check the NAT checkbox in the policy.

Maybe you'll have to create an IP-Pool with the source ip to use for the nat, specify this ip-pool in the policy under NAT.

 

 

Adanio
New Contributor

Hi Nilsan, 

Thanks for your answer. 

 

I'll Elaborate a bit

The customer have a service on his computer that can only be configured with destination ip of 10.0.0.x 

This ip is behind real ip address 34.x.x.x. (AWS). 

 

I will try your solution and update 

Thanks 

 

ede_pfau
Esteemed Contributor III

A VIP does destination NAT - the destination address is exchanged when the packet traverses the policy.

IF your goal is to use 10.0.0.x and reach 34.x.y.z on the net instead then you would use a VIP like posted above.

IF your goal is to reach a 10.0.0.x in some remote LAN then you would probably have to use a VPN tunnel to get into that LAN.

As it's not really clear to me what your setup is, please post a small diagram with network addresses to clarify.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Adanio

Hi Ede, 

My goal was to change 10.0.0.x to 34.x.y.z... 

This is due to my client service that can work only with 10 subnet (or he will have to build the service from scratch) 

At first i suggested him we should build a tunnel but that wasn't what he needed. 

For future use i explain my situation 

Lan: 172.16.0.0 

Fortigate is my default gateway and connected to lan and wan

when a computer on lan send a packet with src ip: 172.16.x.x dest ip: 10.0.0.x 

The packet is routed to wan with src ip: 31.x.y.z dest ip: 34.x.y.z

Thanks guys

 

 

Labels
Top Kudoed Authors