Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ShawnZA
Contributor II

Created on ‎03-23-2020 09:31 PM

IP Pools and Zones

Can one use IP Pools for SNAT with the source interfaces as a Zone and the destination as a physical interface? I did read that you can't use zones and IP Pools and was wondering if that is still the case? Or is it only the destination that can't be a zone, that I would understand.

"Internal Trusted" is a Zone containing two interfaces, destination is a vlan interface:

 

The vlan interface has an ip of 196.33.152.186/30 and next hop is 196.33.152.185.

 

dst-osfw-pri-mi-2543

IP Prefix: 196.33.152.184/30

[ul]
  • FW IP: 196.33.152.186
  • PE IP: 196.33.152.185

  • So if I need to SNAT the traffic destined to 196.23.189.171 so that it looks like it's coming from 196.34.224.128/32 they would also need to have that (196.34.224.128/32) in their routing table pointing towards the fortigate right?

     

    [/ul]
    • Preview file
    104 KB
    3984
    0 Kudos
    5 REPLIES 5
    Toshi_Esumi
    SuperUser
    SuperUser

    Created on ‎03-23-2020 09:58 PM

    First, FGT's zone is just an "alias" to represent multiple interfaces with one name in policies. Nothing more than that, which is different from Palo Alto's zone, or Juniper SRX's zone, or some other server vased FWs as far as I know.

    Then SNAT with ippool shouldn't be affected if you use interfaces or zones for src/dst interfaces in policies. As a matter of fact we use zone for an outing interface on one of our FGTs while SNAT/ippool is applied to the policies.

    Is it not working?

    Of course if there is returning traffic toward the SNAT IP from the destination side, there needs to be a route on the other end to point the traffic destined to the SNAT IP to the real interface.

    3061
    0 Kudos
    ShawnZA
    Contributor II

    Created on ‎03-23-2020 10:11 PM

    Thanks for the info. It's not working at the moment but suspect the other company hasn't added the route back to me yet. If I remove the SNAT and just NAT it on the interface IP it works fine, so suspect it's the route that's missing on the other side.

    3061
    0 Kudos
    Toshi_Esumi
    SuperUser
    SuperUser
    In response to ShawnZA

    Created on ‎03-23-2020 10:26 PM

    If you run "flow debug" against the destination IP, you would see the SNAT is swapping the source IP before forwarding to the interface.

    3061
    0 Kudos
    ShawnZA
    Contributor II
    In response to Toshi_Esumi

    Created on ‎03-24-2020 12:04 AM

    Thanks, the flow does show it's changing the the source NAT to the correct IP, did this test over another source interface, can only do the test over the zone later today but suspect the issue is on the other side

     

    Telnet test to 196.23.189.171 on port 7805, so my side looks fine at least.

     

    Preview file
    86 KB
    3061
    0 Kudos
    Toshi_Esumi
    SuperUser
    SuperUser
    In response to ShawnZA

    Created on ‎03-24-2020 09:00 AM

    No, as I said before, zone is just an alias and you can't use it for debugging or doesn't show. A FGT looks/shows flow on interfaces. That's the difference of zone from other vendor devices like Palo Alto, etc.

    3061
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.