Hello
I'm new to the forum and also to Fortinet products.
I've a customer that have a request that i couldn't find an answer online.
our scenario:
In our network the lan interfaces are lan and lan2 and the ip is 172.16.x.x, wan port is our internet
My customer want when he telnet to 10.0.0.x the packet will get to fortigate and the destination ip will change from
10.0.0.x to legal ip on the internet 34.x.x.x and also the source ip change with NAT.
I've tried many things and the last one was using VIP and configure the incoming interface as lan and have a policy from lan to wan where the source ip is 172.16.0.0 and destination is 10.0.0.x.
we have 100D, ver 5.2.8
Does anyone knows if this is possible and how to accomplish this?
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Where is the 10.0.0.x network located?
Sounds like an odd solution..
Create a VIP with LAN as incoming interface, 17.16.x.x as source network and 10.0.0.x as external then 34.x.x.x as mapped ip.
Create a policy with the VIP as destination and also make sure that check the NAT checkbox in the policy.
Maybe you'll have to create an IP-Pool with the source ip to use for the nat, specify this ip-pool in the policy under NAT.
Where is the 10.0.0.x network located?
Sounds like an odd solution..
Create a VIP with LAN as incoming interface, 17.16.x.x as source network and 10.0.0.x as external then 34.x.x.x as mapped ip.
Create a policy with the VIP as destination and also make sure that check the NAT checkbox in the policy.
Maybe you'll have to create an IP-Pool with the source ip to use for the nat, specify this ip-pool in the policy under NAT.
Hi Nilsan,
Thanks for your answer.
I'll Elaborate a bit
The customer have a service on his computer that can only be configured with destination ip of 10.0.0.x
This ip is behind real ip address 34.x.x.x. (AWS).
I will try your solution and update
Thanks
A VIP does destination NAT - the destination address is exchanged when the packet traverses the policy.
IF your goal is to use 10.0.0.x and reach 34.x.y.z on the net instead then you would use a VIP like posted above.
IF your goal is to reach a 10.0.0.x in some remote LAN then you would probably have to use a VPN tunnel to get into that LAN.
As it's not really clear to me what your setup is, please post a small diagram with network addresses to clarify.
Hi Ede,
My goal was to change 10.0.0.x to 34.x.y.z...
This is due to my client service that can work only with 10 subnet (or he will have to build the service from scratch)
At first i suggested him we should build a tunnel but that wasn't what he needed.
For future use i explain my situation
Lan: 172.16.0.0
Fortigate is my default gateway and connected to lan and wan
when a computer on lan send a packet with src ip: 172.16.x.x dest ip: 10.0.0.x
The packet is routed to wan with src ip: 31.x.y.z dest ip: 34.x.y.z
Thanks guys
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.