Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
it-andreagx
New Contributor II

NAT 1:1 LAN to LAN

Hello, 

I need to setup a rule that does this:
I have a device with this IP 192.168.250.1 (it cannot be changed) connected to LAN 

I need to "associate"  IP 192.168.250.1 with a local IP 10.0.3.115.  

So when the http://10.0.3.115 is opened the really IP 192.168.250.1 have to respond 
10.0.3.115 -> 192.168.250.1.

I guess 1:1 NAT and vrtual IP is not right way. 
Any hint about this? 

5 REPLIES 5
dbhavsar
Staff
Staff

Hello @it-andreagx ,

 

- Create a firewall policy with your source-ip and then apply 1:1 NAT to it and place that policy on top.

DNB
it-andreagx

Do you mean in this way?

 
 

forti_creenshot 2024-09-18 142704.png

dbhavsar
Staff
Staff

Hi @it-andreagx ,

So basically, your 192.168.250.1 should be NATed to 10.0.3.115 when leaving lan interface, correct? If yes create an IP-Pool and apply it to above policy and source and destination needs to be swapped.

DNB
it-andreagx

no way :(
even with this setup if I ping the IP 10.0.3.115 the IP 192.168.250.1 do not reply 

vbandha
Staff
Staff

Hello @it-andreagx 

You need to create a VIP with external IP 10.0.3.115 and internal IP 192.168.250.1:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

 

You then need to make firewall policy with incoming interface as the interface where you are pinging from. Outgoing interface will be where 192.168.250.1 is located. In this policy add the VIP object in destination and in source you can keep 'all'. 

Let me know if that works for you.

Regards, 

Varun

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors