Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Charlie80
New Contributor

Static SrcNat problem

Hello,

I have this set of nat rules:

 

Rule1

OriginSrcIP1 to AnyDest >>>> TranslatedSrcIp1

Rule2

OriginSrcIP2 to AnyDest >>>> TranslatedSrcIp1

 

I nat rules not working properly. On the logs I can see some "policy violation" and few logs later the flow works.

Seems that if when the Rule1 works the Rule2 not and vice versa.

 

The TranslatedSrcIp1 can be assigned only on 1 static nat rule?

3 REPLIES 3
vsahu
Staff
Staff

Hello Charlie80,


As per your query, it seems you've enabled one-to-one NAT rather than doing the PAT can you let me know the configuration you've done, share the snapshot it would be better.

 

Regards,
Vishal
ede_pfau
SuperUser
SuperUser

Simple answer, if NAT to one source address from multiple real source addresses would not work, no network of more than 1 host would be able to surf the internet. Right?

 

The kind of SNAT that is needed in this case is the "overload" NAT, which is the default. Configured as "one-to-one" NAT will not work, as Vishal has already mentioned.

 

How to: configure an IP pool containing just the one desired translated address (type "overload", external IP range "a.b.c.d - a.b.c.d"), enable NAT in the outbound policy but choose to specify the address to use. Then select the IP pool just created.

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Rajneesh
Staff
Staff

Hi @Charlie80 

The NAT which you have enabled is one-to-one mapping.
It works like this, suppose you have configured a NAT type <one-to-one> and in the range if you have configured like this : 1.1.1.1-1.1.1.1 then it works on first come and first serve basis.

 

When traffic from OriginSrcIP1 to AnyDest  it will be translated to the IP 1.1.1.1.

Now when at the same time if another traffic came OriginSrcIP2 to AnyDest then the device will not be able to NAT the IP because in the range you have given  one-to-one 1.1.1.1-1.1.1.1.

It will work only when the IP in the NAT pool is free.

But only one IP at a time will be Ntted.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors