Hello forum,
I've searched and read in the documentation about IP Pool (for SNAT) and I really don't understand the difference between Overload and One to one ip pools.
- One-to-One - in this case the only internal address used by the external address is the internal address that it is mapped to.
- Overload - this is the default setting. Internal addresses other than the one designated in the policy can use this address for the purposes of NAT.
I Understand that they are used to NAT the source address with the IP/range defined in the pool but can't figure out the difference....
Can anybody explain?
Thanks
You generally will use One-to-One when you also have VIPs (for resources hosted internally that need to be reached from the Internet). This ensures that all traffic for a given IP (inbound AND outbound) belongs only to that server. This also assumes you have more than one public IP available on your WAN connection. If you are only given one IP, you really wouldn't use an IP Pool at all as you would just Overload NAT all your traffic to the outbound interface IP.
If you have multiple public IPs, but many internal hosts, you may wish to set up a scheme for your Overload NAT to match up with certain networks. For example we have 256 public IPs and use a different one for each internal subnet (i.e., guest wifi, student wifi, staff wifi, staff PCs, etc). This helps narrow things down a bit if someone gets infected or something like that. When we see what public IP they came from we know immediately which VLAN to look at.
Keep in mind that each public IP you have gives you a maximum of 65k connections...also I would recommend reading up on PAT vs NAT (i.e. overload vs One-to-One), as what you're asking here is more of a basic networking concept: https://techdifferences.c...tween-nat-and-pat.html
I have just signed up to thank you!
THANK YOU VERY MUCH
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.