- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: NAT using IP Pool
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT using IP Pool
Hi guys,
is that possible to have a configuration on fortigate that will nat-ed a traffic that coming from 192.168.1.0/24 (interface LAN) dest to any (interface Outside), to ip address of 202.33.146.x, but on outside interface i assign an ip address of 202.33.146.z ?
because i rad from http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/objects.067.10.html
it said
When using IP pools for NATing, there is a limitation that must be taken into account when configuring the pool. If the IP address(es) within the pool are different from the IP address(es) that are assigned to the interface communications based on those IP addresses will fail. For example if the IP addresses assigned to an interface are 172.16.100.1 -172.16.100.14, you cannot choose 10.11.12.50 - 10.11.12.59 for the IP pool.
based on my understanding if the ip address on ip pool is not match with ip address that we assign on the outside interface the NAT will be fail ? is that correct ?
thanks
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as the address you are using for your IP pool falls within the connected network of your outside interface you are fine. Your ISP can tell you what your allocated block of IPs are if you don't already know that. Keep in mind that the IP you choose must not already be in use by something else!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the reply,
anyway what is recommendation if i want to setting one to one NAT, virtual IP or IP pool ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without knowing a whole lot about what you are trying to accomplish, I would recommend IP Pool in this instance.
Keep these points in mind when dealing with NAT on a FortiGate:
-VIPs are for Destination NAT
-Enabling NAT in your policy is for Source NAT
-Source NAT will use the outgoing interface IP by default or you can enable an IP pool if you would like to use an IP other than the interface IP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as the address you are using for your IP pool falls within the connected network of your outside interface you are fine.
I think I have to disagree with the above statement, as long as the SNAT is routed to the firewall it could be used. It doesn't matter if it's an outside address range or a /28 routed from that firewall.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:
As long as the address you are using for your IP pool falls within the connected network of your outside interface you are fine.
I think I have to disagree with the above statement, as long as the SNAT is routed to the firewall it could be used. It doesn't matter if it's an outside address range or a /28 routed from that firewall.
Yep I agree; I may have tried to over-simply things with my statement. Thanks for pointing that out!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for all replay guys,
actually what i want to accomplish is to make my internal server to have a connection to internet and also internet can connect to my internal server.
based on your explanation i conclude that if i want my internal server to connect to internet i need to setup the NAT using IP Pool and if i want to make internet to connect to my internal server i need to setup the NAT using virtual ip, is that correct (assume policy already setup correctly) ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
blackmail88 wrote:
actually what i want to accomplish is to make my internal server to have a connection to internet and also internet can connect to my internal server.
If you want your server to be able to access the internet you can just use an internal -> wan policy and enable NAT. That way the Fgt will nat your server ip address to the ip address of the Fgt's external interface. If you want the server to access the internet using a different ip addres (eg mailserver for SPF checks) you normally use an ip pool to NAT that specific address.
If your server needs to be reachable, you use wan -> internal policy with destination address a VIP. Selecting the NAT option in this case depends on the situation: if your accessed device doesn't accept "foreign" ip's, enable NAT. Otherwise, do not as it can create security holes because you will NAT the source ip. Eg. when enabling NAT on the inbound policy for a mailserver, you actually put the server in open relay because all mail received will have as source ip the ip of the Fgt's internal interface.
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in the jest yes you are 100% correct in your assesment plus the fwpolicies that specify the inbound ( DNAT ) and outbound (SNAT ). The pool wil ensure your traffic uses this ip_address for a 1-to-1 SNAT.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- Ubuntu 24.04: Forticlient VPN installation w/... 176 Views
- Fortigate send UDP 8014 packets on... 194 Views
- SSLVPN Settings Address Range vs SSLVPN... 219 Views
- FortiSASE Change IP-Pool 180 Views
- How to keep the connections when... 576 Views
Labels
-
FortiGate
6,594 -
FortiClient
1,315 -
5.2
801 -
5.4
639 -
FortiManager
570 -
FortiAnalyzer
416 -
6.0
416 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.