Using same address for IP Pool & Virtual IP

200B · ‎07-08-2014

Hi, So I have an existing flow: SRC: 1.1.1.1 DST 2.2.2.2 SRV TCP/11111 SNAT 3.3.3.3 DNAT 4.4.4.4 (Where 3.3.3.3 is an IP pool & 2.2.2.2 is a Virtual IP mapped to 4.4.4.4) and a new flow has been proposed (to operate a different service alongside the existing one detailed above): SRC 4.4.4.4 DST 3.3.3.3 SRV TCP/22222 SNAT 5.5.5.5 DNAT 6.6.6.6 (Where 5.5.5.5 is an IP pool & 3.3.3.3 is a Virtual IP mapped to 6.6.6.6) Can anyone offer any advice on whether this is best practice? From my own point of view I would see it as requiring additional input to differentiate the two flows if ever attempting to configure a packet trace involving 3.3.3.3 & 4.4.4.4.

davidolea · ‎08-12-2014

Hi, I guess that this configuration is possible to create. You only ensure that in the VIP the port forwarding will be enable (to prevent the direct association in the VIP, for the inverse traffic).

-- David Olea FSE6

ede_pfau · ‎08-13-2014

Agree, the differtiation comes with the port used. Even without port forwarding the FGT could keep the flows apart by using the original source port.

Ede Kernel panic: Aiee, killing interrupt handler!

Dipen · ‎08-13-2014

Yes ! You can use the same IP for Source NAT (IP Pool) and Destination NAT (Virtual IP). Similarly you can use the Gateway(interface) IP for HideNAT and as a Virtual IP as well.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

Using same address for IP Pool & Virtual IP

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website