Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ck8882
New Contributor II

Created on ‎10-23-2023 01:09 AM Edited on ‎10-23-2023 01:11 AM

Is it possible support different IP pool IP address from same source, different dest in Duat Nat

Hi Anyone,
Would like to know if fortigate support different IP pool address from same source, different destination in Dual Nat ? (Central NAT and DNAT)
 
For example below (example migrate from checkpoint/cisco)
 
Original SourceOriginal DestinationTranslated AddressTranslated Destination
10.12.10.10010.10.10.12 10.91.18.100
10.110.37.11
10.12.10.10010.10.10.1010.91.18.99
10.110.37.11
 
Thanks
Labels:
1061
0 Kudos
5 REPLIES 5
hbac
Staff
Staff

Created on ‎10-23-2023 09:08 AM

Hi @ck8882

 

If you are using central NAT, it should work as SNAT and DNAT are handled separately. 

 

Regards, 

1031
0 Kudos
ck8882
New Contributor II
In response to hbac

Created on ‎10-23-2023 08:55 PM

HI @hbac 

 

Thanks for your comment. So i also could conclude it FGT is not support design above as the traffic only will work either one or the other, which is not able to match the checkpoint NAT config and migrate over to FGT.

 

Thanks

1018
0 Kudos
hbac
Staff
Staff
In response to ck8882

Created on ‎10-24-2023 07:27 AM

@ck8882

 

It is supported. I tested in my lab and it worked. What I'm saying is SNAT and DNAT are configured separately unlike Checkpoint which you can configure in the same rule. NAT with different IP pool IP address from the same source and different destination should work on FortiGate. 

 

Regards, 

1004
0 Kudos
ck8882
New Contributor II
In response to hbac

Created on ‎10-24-2023 08:03 AM

HI @hbac ,

 

I was tested it with above design and condition, however, it's not work as expected. Would you mind share the configuration since your testing is working.

 

In my testing, as the 2 list Original Source and Translated Destination value is same, the traffic will be only work on top SNAT (10.91.18.100) flow after either one DNAT table process. The 2nd list of SNAT (10.91.18.99) will not been even hit.

 

Is there any configuration or comment from FGT could manual force translate source “10.91.18.99” would be apply to process if the traffic from 2nd list?

 

Thanks

1000
0 Kudos
hbac
Staff
Staff
In response to ck8882

Created on ‎10-24-2023 09:10 AM

@ck8882,

 

Below is my setup. 

Original Source Original Destination Translated Address Translated Destination
192.168.3.2 192.168.3.100 192.168.10.100
192.168.10.2
192.168.3.2 192.168.3.200 192.168.10.200
192.168.10.3

SNAT.PNG

 

DNAT1.PNG

 policyy.PNG

 

Regards, 

988
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.