Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor


hi guys,


recently i have a job to migrate from ASA firewall to Fortigate. and now im facing a problem that might be simple to be done in ASA but not in Fortigate (for my view of course) hehehe... 


so. in the existing ASA there is a NAT configuration like following :


object network IT-A


nat (inside, DMZ) static


object network IT-A-1


nat (inside,outside) static 202.134.8.x


then i tried to config my fortigate that have a same function as above command on ASA using Virtual IP, but i always got error, it said something like "duplicate entry ..."


is there any way to have a same configuration as ASA on fortigate ?



New Contributor

Couldn't you use a VIP for this?

config firewall vip
    edit "IT_A"
        set extip "202.134.8.x"
        set extintf "any"
        set mappedip "172.16.x.x"

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

Esteemed Contributor III



sorry, missed your post.


What you are looking for is "source NAT". For example, a source address will be translated to 208.x.y.z when traversing from 'inside' to 'outside'.

This is done via "IP pools" in FortiOS. For the example, it is sufficient to tick "NAT" in the policy which allows sessions from 'inside' to 'WAN'. Then the (current) WAN interface address will be used for source NAT.

If you want to have full control over the source address then create an IP pool and specify it's name in the policy.


Please have a look at the concept in the 'FortiOS Handbook', available for download at . You'll see it's quite easy once you get the grasp of it.


"Kernel panic: Aiee, killing interrupt handler!"