Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using same address for IP Pool & Virtual IP
Hi,
So I have an existing flow:
SRC:
1.1.1.1
DST
2.2.2.2
SRV
TCP/11111
SNAT
3.3.3.3
DNAT
4.4.4.4
(Where 3.3.3.3 is an IP pool & 2.2.2.2 is a Virtual IP mapped to 4.4.4.4)
and a new flow has been proposed (to operate a different service alongside the existing one detailed above):
SRC
4.4.4.4
DST
3.3.3.3
SRV
TCP/22222
SNAT
5.5.5.5
DNAT
6.6.6.6
(Where 5.5.5.5 is an IP pool & 3.3.3.3 is a Virtual IP mapped to 6.6.6.6)
Can anyone offer any advice on whether this is best practice?
From my own point of view I would see it as requiring additional input to differentiate the two flows if ever attempting to configure a packet trace involving 3.3.3.3 & 4.4.4.4.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I guess that this configuration is possible to create. You only ensure that in the VIP the port forwarding will be enable (to prevent the direct association in the VIP, for the inverse traffic).
-- David Olea FSE6
-- David Olea FSE6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree, the differtiation comes with the port used. Even without port forwarding the FGT could keep the flows apart by using the original source port.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes ! You can use the same IP for Source NAT (IP Pool) and Destination NAT (Virtual IP).
Similarly you can use the Gateway(interface) IP for HideNAT and as a Virtual IP as well.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
