Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Eric_Lackey
New Contributor III

Specify NAT source IP

We use VIPs to port forward traffic to our web servers. When we enable NAT on the policy, it uses the internal network interface IP address as the source IP. Is it possible to specify a secondary IP address as the NAT source rather than the interface default?

 

 

2 Solutions
ede_pfau
Esteemed Contributor III

Hi,

 

source NAT is done via 'IP pools'. You can specify any IP address here which you want (of course, it will only make sense if it's routed back to you). You can define a subnet, a range or even a single address (/32).

 

Note that in combination with a VIP you don't need to source NAT the traffic from the VIP target. The FGT will do that automatically for you, for reply traffic (obvious) and server originated traffic as well (not obvious).

If other hosts in the VIP target subnet are to use the VIP as their source address there is an option you can set in the CLI.

 

HTH.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
ede_pfau
Esteemed Contributor III

It's either - or. The IP pool will only be used if you enable NAT in the policy. If you don't then the VIP will be used to mask the true source IP of that server (the server specified in the VIP).

Again, IMO you would only use an IP pool if you either had no VIP, or if other hosts behind that interface needed source NAT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
8 REPLIES 8
Eric_Lackey
New Contributor III

I think I figured it out. It looks like you can use a regular dynamic IP pool for this as well.

ede_pfau
Esteemed Contributor III

Hi,

 

source NAT is done via 'IP pools'. You can specify any IP address here which you want (of course, it will only make sense if it's routed back to you). You can define a subnet, a range or even a single address (/32).

 

Note that in combination with a VIP you don't need to source NAT the traffic from the VIP target. The FGT will do that automatically for you, for reply traffic (obvious) and server originated traffic as well (not obvious).

If other hosts in the VIP target subnet are to use the VIP as their source address there is an option you can set in the CLI.

 

HTH.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Eric_Lackey
New Contributor III

I noticed that it didn't require me to enable NAT on the policy to do the NAT translation on the VIP, but that seemed to be the only way to select an IP Pool (at least through the GUI in 5.2.2). Can you enable the IP Pool on the CLI without enabling NAT?

 

 

ede_pfau
Esteemed Contributor III

It's either - or. The IP pool will only be used if you enable NAT in the policy. If you don't then the VIP will be used to mask the true source IP of that server (the server specified in the VIP).

Again, IMO you would only use an IP pool if you either had no VIP, or if other hosts behind that interface needed source NAT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Eric_Lackey
New Contributor III

Thanks for your help. Just for reference, I had to use an IP Pool due to this issue > https://forum.fortinet.com/tm.aspx?m=120355. Seems to be working well as a solution.

 

 

ashukla_FTNT
Staff
Staff

Try the following under vip

set nat-source-vip enable

 

Create an outbound policy with nat enabled and check the behavior.

 

 

ede_pfau
Esteemed Contributor III

well, I wouldn't...this will enable using the VIP as the source address for all hosts crossing that policy. If you ran into trouble with 8 servers then this will not be for the better.

 

Refering to your other post, I definitely think it's a bug in FortiOS. Support should have a look into that (which would mean to open a case). Or maybe, NATting via IP pool is handled differently than NATting via interface address/VIP/promiscuous VIP.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Eric_Lackey
New Contributor III

Yep, I gave support all of the packet traces and info. Hopefully they can track it down.

Labels
Top Kudoed Authors