Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LaD
New Contributor

Created on ‎07-26-2024 09:48 PM

How Involved DNAT & VIP configuration when Central NAT is enabled // FortiGate

Hi, 

we have firewall with central NAT enabled. Some communications are  initiated from inside network and going towards outside network. 

Original Source IP - 172.19.60.100

Original Destination IP - 192.168.23.5

Source NAT IP - 192.168.48.12

 

as per the central NAT rules defined this traffic is getting source NATed to the 192.168.48.12 when going through the firewall.

Also, we have configured some DNAT & VIP like below for traffics which are originated from external side.

External IP - 192.168.48.12

Mapped IP - 172.19.60.120

 

When considering this 192.168.48.12 is the source NAT ip for the traffics initiated from 172.19.60.100. Also this is external IP for the traffics initiated from external and its map to the inside ip 172.19.60.120 which is different than 172.19.60.100.

 


will this works as expected or will there be any issues ?

 

Thanks

Labels:
479
0 Kudos
2 REPLIES 2
ebilcari
Staff
Staff

Created on ‎07-27-2024 06:55 AM

I don't think it will cause any issue since SNAT and DNAT tables are different (directions). Even that you are using a private IP, this is a common scenario for small networks that use a single public IP to SNAT the user traffic and DNAT some of the servers using the same public IP. In this case the IP 192.168.48.12 will have the 'role' of the public IP.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
433
0 Kudos
akumar02
Staff
Staff

Created on ‎07-27-2024 07:07 AM

Hello @LaD,

 

Starting from 6.2 there is a new feature 'match-vip-only' to apply to a policy when Central NAT is enabled.

The VIP/DNAT with central NAT is explained in this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-firewall-policies-for-a-VIP-when...

 

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
429
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.