Hi guys,
is that possible to have a configuration on fortigate that will nat-ed a traffic that coming from 192.168.1.0/24 (interface LAN) dest to any (interface Outside), to ip address of 202.33.146.x, but on outside interface i assign an ip address of 202.33.146.z ?
because i rad from http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/objects.067.10.html
it said
When using IP pools for NATing, there is a limitation that must be taken into account when configuring the pool. If the IP address(es) within the pool are different from the IP address(es) that are assigned to the interface communications based on those IP addresses will fail. For example if the IP addresses assigned to an interface are 172.16.100.1 -172.16.100.14, you cannot choose 10.11.12.50 - 10.11.12.59 for the IP pool.
based on my understanding if the ip address on ip pool is not match with ip address that we assign on the outside interface the NAT will be fail ? is that correct ?
thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As long as the address you are using for your IP pool falls within the connected network of your outside interface you are fine. Your ISP can tell you what your allocated block of IPs are if you don't already know that. Keep in mind that the IP you choose must not already be in use by something else!
thanks for the reply,
anyway what is recommendation if i want to setting one to one NAT, virtual IP or IP pool ?
Without knowing a whole lot about what you are trying to accomplish, I would recommend IP Pool in this instance.
Keep these points in mind when dealing with NAT on a FortiGate:
-VIPs are for Destination NAT
-Enabling NAT in your policy is for Source NAT
-Source NAT will use the outgoing interface IP by default or you can enable an IP pool if you would like to use an IP other than the interface IP.
As long as the address you are using for your IP pool falls within the connected network of your outside interface you are fine.
I think I have to disagree with the above statement, as long as the SNAT is routed to the firewall it could be used. It doesn't matter if it's an outside address range or a /28 routed from that firewall.
PCNSE
NSE
StrongSwan
emnoc wrote:
As long as the address you are using for your IP pool falls within the connected network of your outside interface you are fine.
I think I have to disagree with the above statement, as long as the SNAT is routed to the firewall it could be used. It doesn't matter if it's an outside address range or a /28 routed from that firewall.
Yep I agree; I may have tried to over-simply things with my statement. Thanks for pointing that out!
thanks for all replay guys,
actually what i want to accomplish is to make my internal server to have a connection to internet and also internet can connect to my internal server.
based on your explanation i conclude that if i want my internal server to connect to internet i need to setup the NAT using IP Pool and if i want to make internet to connect to my internal server i need to setup the NAT using virtual ip, is that correct (assume policy already setup correctly) ?
blackmail88 wrote:
actually what i want to accomplish is to make my internal server to have a connection to internet and also internet can connect to my internal server.
If you want your server to be able to access the internet you can just use an internal -> wan policy and enable NAT. That way the Fgt will nat your server ip address to the ip address of the Fgt's external interface. If you want the server to access the internet using a different ip addres (eg mailserver for SPF checks) you normally use an ip pool to NAT that specific address.
If your server needs to be reachable, you use wan -> internal policy with destination address a VIP. Selecting the NAT option in this case depends on the situation: if your accessed device doesn't accept "foreign" ip's, enable NAT. Otherwise, do not as it can create security holes because you will NAT the source ip. Eg. when enabling NAT on the inbound policy for a mailserver, you actually put the server in open relay because all mail received will have as source ip the ip of the Fgt's internal interface.
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
in the jest yes you are 100% correct in your assesment plus the fwpolicies that specify the inbound ( DNAT ) and outbound (SNAT ). The pool wil ensure your traffic uses this ip_address for a 1-to-1 SNAT.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.