Hey guys!
I'm new to FortiGate with Central SNAT and I'm administering a FortiGate 500E firewall - FortiOS v6.4.13 build2092 (GA) - which today has a private network 10.xxx.0.0/22 accessing the Internet with a public IP address of 200.xxx.xxx .37 all working fine. But a new demand came up for me to create a subnet 10.xxx.3.0/24 to use as a guest network and access the internet with another public IP address like 200.xxx.xxx.38/28. I am not able to create the necessary rules in Central SNAT to allow this, at the moment all subnets are accessing the internet only with the firewall interface IP which is 200.xxx.xxx.37/28. Can anyone help me with some tips? Or would anyone know how to indicate a document that addresses a solution for this for me to study?
Thank you very much in advance.
Solved! Go to Solution.
Certainly! You're essentially looking to perform Source NAT (SNAT) based on the subnet of origin. In a FortiGate, you can achieve this with a Centralized SNAT Policy. Here's a step-by-step guide to achieving what you're aiming for:
### Step 1: Ensure the new subnet is properly routed
Before applying NAT rules, ensure that the new subnet \(10.xxx.3.0/24\) has the necessary route in place to reach the FortiGate. If the FortiGate is the default gateway for this subnet, then this is already taken care of.
### Step 2: Create Address Objects
1. Go to **Policy & Objects > Addresses**.
2. Create an address object for your main private network \(10.xxx.0.0/22\).
3. Create another address object for your guest network \(10.xxx.3.0/24\).
### Step 3: Create Central SNAT Policy
1. Navigate to **Policy & Objects > Central SNAT**.
2. Click on **Create New**.
3. For the original address, select the address object for your main private network.
4. For the translated address, use the IP address \(200.xxx.xxx.37\).
5. Make sure the **Interface** is set to your WAN/external interface.
6. Add a new policy for your guest network:
- Original address: Guest network address object.
- Translated address: \(200.xxx.xxx.38\).
- Interface: Again, your WAN/external interface.
### Step 4: Ensure that your security policies are in order
Make sure you have firewall policies that allow traffic from both the main private network and the guest network to the Internet. Remember, SNAT policies only change the source IP; the traffic still needs a matching firewall policy to be allowed.
### Step 5: Test
After the above configuration, try accessing the Internet from both networks. You can use tools like "What's my IP" to verify the public IP address each subnet is using.
This is a basic configuration. Depending on other specific requirements you might have (e.g., specific services, bandwidth limitations for the guest network, etc.), you may need to add or modify some policies. Always remember to thoroughly test any changes in a controlled manner before considering them final.
As for documentation, the Fortinet Knowledge Base and official documentation are great resources. The Fortinet Cookbook, in particular, offers various scenario-based solutions which you might find useful.
Created on 08-14-2023 01:03 PM Edited on 08-14-2023 01:04 PM
Thank you for replying, but if you are talking about Central SNAT I did not identify some informations in your text, like this:
Incoming Interface; Outgoing Interface; Source Address; Destination Address; IP Pool etc... It is not clear for me, sorry. I should fill something like this, not? In my tests it does'nt worked.
I understand the confusion. Let's clarify it step by step with the parameters you're looking for:
### Step 2: Create Address Objects
- **Name**: Main_Private_Network
- **Type**: Subnet
- **Subnet/IP Range**: 10.xxx.0.0/22
- **Interface**: (Incoming Interface of your internal/main network)
- **Name**: Guest_Network
- **Type**: Subnet
- **Subnet/IP Range**: 10.xxx.3.0/24
- **Interface**: (Incoming Interface of your guest network)
### Step 3: Create Central SNAT Policy
For the main private network:
- **Name**: SNAT_Main_Net
- **Incoming Interface**: (Interface of your internal/main network)
- **Outgoing Interface**: (Your WAN/external interface)
- **Source Address**: Main_Private_Network
- **Destination Address**: Any (or specific internet destination if needed)
- **NAT Type**: Dynamic IP Pool
- **IP Pool Configuration**:
- **Start IP/End IP**: 200.xxx.xxx.37 (If you have a range, you can specify the start and end IP)
For the guest network:
- **Name**: SNAT_Guest_Net
- **Incoming Interface**: (Interface of your guest network)
- **Outgoing Interface**: (Your WAN/external interface)
- **Source Address**: Guest_Network
- **Destination Address**: Any (or specific internet destination if needed)
- **NAT Type**: Dynamic IP Pool
- **IP Pool Configuration**:
- **Start IP/End IP**: 200.xxx.xxx.38 (Again, if you have a range, you can specify the start and end IP)
The above guidelines provide a more explicit configuration in line with the parameters you provided. The key aspects are specifying the incoming and outgoing interfaces as well as the source and destination addresses.
Also, it's crucial to have the appropriate routes in place and ensure your firewall policies allow the traffic. If you've set everything according to the guide and it's still not working, it might be a good idea to check the routing table, firewall policies, or any other conflicting SNAT/DNAT policies. If you're comfortable sharing more detailed information about your setup or the issues you're encountering, I might be able to help further.
Solved using policy routing rules to work in complement
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.