Not applicable
Created on 01-17-2011 12:08 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nat Table
Is there any command in which i would be able to see the NAT table
i mean i want to see what ip is using one internal ip to go out through the NAT if i got a NAT pool configureda mean like a range... i would like to know if there is some command i would be able to see in a table something like this
192.168.1.1-->172.16.20.1
192.168.1.2-->172.16.20.5
for example the 192.168.1.1 is using 172.16.20.1 to go out....
Okay here is the scenario
i got a Routed VPN trough firewalls
Internal Network 1 = 192.168.1.0/24 Fortigate A
Internal Network 2 = 192.168.2.0/24 Fortigate B
WAN between them = 172.16.20.0/24
Okay i would like to do this;
the people from the 192.168.2.0/24 they actually can see the 192.168.1.0/24 as it is
Now i would like that the people from the 192.168.2.0/24 to see the 192.168.1.0/24 network as 172.16.20.0/24
I already done this by doing a VIP of the whole 192.168.1.0/24 network
And putting NAT checkbox in the rule of the internal to the fortigate routed interface on fortigate A.
And on fortigate B i removed the route which find the 192.168.1.0/24 and added the route for the whole network of the 172.16.20.0/24
It works fine... but what i m not sure is that when a packet for example
192.168.1.4 is going out from fortigate A to fortigate B translated to 172.16.20.4 instead of using i dont know the fortigate ip(the one on the fortigates virtual interface )
What im not sure is where i should put the ippool to force 192.168.1.1/24 to go out through 172.16.20.1
im putting a whole range in the ippool and im assuming its going by order but im not sure if im doing this right...
I dont know if you get what im trying to do?
The issue here is this one
we have 3 sites
2 sites got this internal ip address 192.168.1.0/24 fortigate A and fortigate B
and one got 192.168.2.0/24 fortigate C
We want to totally hide one of the 192.168.1.0/24 so we would be able to route traffic through all sites without changing the internal network address of any of the site, doing nat.
At the end we want that Fortigate C would be able to just see one 192.168.1.0/24 the other site that has 192.168.1.0/24will be 172.16.20.0/24 but this will be hidden by the NAT.
What i dont know if this is the best way to achive this but its the only way i could think of doing this, if you got any other way you can let me know. Otherwise i would like help to finish the idea i got, and how to test it.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you configured using IP Pool it should maintain 1:1 association most of the times.
About seeing NAT translation table, I needed once for myself, but no luck finding any clue.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from the FortiOS Handbook 4.00MR2, pp.204:
Source IP address and IP pool address matching When the source addresses are translated to the IP pool addresses, one of the following three cases may occur: Scenario 1: The number of source addresses equals that of IP pool addresses In this case, the FortiGate unit always matches the IP addressed one to one. (...)So if you define the original subnet and the mapped-to subnet to be equally sized then 1:1 matching ALWAYS occurs. Your setup of " overlapping VPN subnets" is not uncommon. There is a chapter on this as well: " Ch. 7" >" Gateway-to-gateway configurations" >How to work with overlapping subnets" (p.802 ff.). Just one hint: you do not only need source NAT (via ippool) but destination NAT as well (via VIP).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the command for seeing NAT: get system session-table list
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.