Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Nat Table

Is there any command in which i would be able to see the NAT table i mean i want to see what ip is using one internal ip to go out through the NAT if i got a NAT pool configureda mean like a range... i would like to know if there is some command i would be able to see in a table something like this 192.168.1.1-->172.16.20.1 192.168.1.2-->172.16.20.5 for example the 192.168.1.1 is using 172.16.20.1 to go out.... Okay here is the scenario i got a Routed VPN trough firewalls Internal Network 1 = 192.168.1.0/24 Fortigate A Internal Network 2 = 192.168.2.0/24 Fortigate B WAN between them = 172.16.20.0/24 Okay i would like to do this; the people from the 192.168.2.0/24 they actually can see the 192.168.1.0/24 as it is Now i would like that the people from the 192.168.2.0/24 to see the 192.168.1.0/24 network as 172.16.20.0/24 I already done this by doing a VIP of the whole 192.168.1.0/24 network And putting NAT checkbox in the rule of the internal to the fortigate routed interface on fortigate A. And on fortigate B i removed the route which find the 192.168.1.0/24 and added the route for the whole network of the 172.16.20.0/24 It works fine... but what i m not sure is that when a packet for example 192.168.1.4 is going out from fortigate A to fortigate B translated to 172.16.20.4 instead of using i dont know the fortigate ip(the one on the fortigates virtual interface ) What im not sure is where i should put the ippool to force 192.168.1.1/24 to go out through 172.16.20.1 im putting a whole range in the ippool and im assuming its going by order but im not sure if im doing this right... I dont know if you get what im trying to do? The issue here is this one we have 3 sites 2 sites got this internal ip address 192.168.1.0/24 fortigate A and fortigate B and one got 192.168.2.0/24 fortigate C We want to totally hide one of the 192.168.1.0/24 so we would be able to route traffic through all sites without changing the internal network address of any of the site, doing nat. At the end we want that Fortigate C would be able to just see one 192.168.1.0/24 the other site that has 192.168.1.0/24will be 172.16.20.0/24 but this will be hidden by the NAT. What i dont know if this is the best way to achive this but its the only way i could think of doing this, if you got any other way you can let me know. Otherwise i would like help to finish the idea i got, and how to test it.
3 REPLIES 3
laf
New Contributor II

If you configured using IP Pool it should maintain 1:1 association most of the times. About seeing NAT translation table, I needed once for myself, but no luck finding any clue.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
ede_pfau
SuperUser
SuperUser

from the FortiOS Handbook 4.00MR2, pp.204:
Source IP address and IP pool address matching When the source addresses are translated to the IP pool addresses, one of the following three cases may occur: Scenario 1: The number of source addresses equals that of IP pool addresses In this case, the FortiGate unit always matches the IP addressed one to one. (...)
So if you define the original subnet and the mapped-to subnet to be equally sized then 1:1 matching ALWAYS occurs. Your setup of " overlapping VPN subnets" is not uncommon. There is a chapter on this as well: " Ch. 7" >" Gateway-to-gateway configurations" >How to work with overlapping subnets" (p.802 ff.). Just one hint: you do not only need source NAT (via ippool) but destination NAT as well (via VIP).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
laf
New Contributor II

Found the command for seeing NAT: get system session-table list

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors