We use VIPs to port forward traffic to our web servers. When we enable NAT on the policy, it uses the internal network interface IP address as the source IP. Is it possible to specify a secondary IP address as the NAT source rather than the interface default?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
source NAT is done via 'IP pools'. You can specify any IP address here which you want (of course, it will only make sense if it's routed back to you). You can define a subnet, a range or even a single address (/32).
Note that in combination with a VIP you don't need to source NAT the traffic from the VIP target. The FGT will do that automatically for you, for reply traffic (obvious) and server originated traffic as well (not obvious).
If other hosts in the VIP target subnet are to use the VIP as their source address there is an option you can set in the CLI.
HTH.
It's either - or. The IP pool will only be used if you enable NAT in the policy. If you don't then the VIP will be used to mask the true source IP of that server (the server specified in the VIP).
Again, IMO you would only use an IP pool if you either had no VIP, or if other hosts behind that interface needed source NAT.
I think I figured it out. It looks like you can use a regular dynamic IP pool for this as well.
Hi,
source NAT is done via 'IP pools'. You can specify any IP address here which you want (of course, it will only make sense if it's routed back to you). You can define a subnet, a range or even a single address (/32).
Note that in combination with a VIP you don't need to source NAT the traffic from the VIP target. The FGT will do that automatically for you, for reply traffic (obvious) and server originated traffic as well (not obvious).
If other hosts in the VIP target subnet are to use the VIP as their source address there is an option you can set in the CLI.
HTH.
I noticed that it didn't require me to enable NAT on the policy to do the NAT translation on the VIP, but that seemed to be the only way to select an IP Pool (at least through the GUI in 5.2.2). Can you enable the IP Pool on the CLI without enabling NAT?
It's either - or. The IP pool will only be used if you enable NAT in the policy. If you don't then the VIP will be used to mask the true source IP of that server (the server specified in the VIP).
Again, IMO you would only use an IP pool if you either had no VIP, or if other hosts behind that interface needed source NAT.
Thanks for your help. Just for reference, I had to use an IP Pool due to this issue > https://forum.fortinet.com/tm.aspx?m=120355. Seems to be working well as a solution.
Try the following under vip
set nat-source-vip enable
Create an outbound policy with nat enabled and check the behavior.
well, I wouldn't...this will enable using the VIP as the source address for all hosts crossing that policy. If you ran into trouble with 8 servers then this will not be for the better.
Refering to your other post, I definitely think it's a bug in FortiOS. Support should have a look into that (which would mean to open a case). Or maybe, NATting via IP pool is handled differently than NATting via interface address/VIP/promiscuous VIP.
Yep, I gave support all of the packet traces and info. Hopefully they can track it down.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1529 | |
1027 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.