Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
200B
New Contributor

Using same address for IP Pool & Virtual IP

Hi, So I have an existing flow: SRC: 1.1.1.1 DST 2.2.2.2 SRV TCP/11111 SNAT 3.3.3.3 DNAT 4.4.4.4 (Where 3.3.3.3 is an IP pool & 2.2.2.2 is a Virtual IP mapped to 4.4.4.4) and a new flow has been proposed (to operate a different service alongside the existing one detailed above): SRC 4.4.4.4 DST 3.3.3.3 SRV TCP/22222 SNAT 5.5.5.5 DNAT 6.6.6.6 (Where 5.5.5.5 is an IP pool & 3.3.3.3 is a Virtual IP mapped to 6.6.6.6) Can anyone offer any advice on whether this is best practice? From my own point of view I would see it as requiring additional input to differentiate the two flows if ever attempting to configure a packet trace involving 3.3.3.3 & 4.4.4.4.
3 REPLIES 3
davidolea
New Contributor

Hi, I guess that this configuration is possible to create. You only ensure that in the VIP the port forwarding will be enable (to prevent the direct association in the VIP, for the inverse traffic).

-- David Olea FSE6

-- David Olea FSE6
ede_pfau
Esteemed Contributor III

Agree, the differtiation comes with the port used. Even without port forwarding the FGT could keep the flows apart by using the original source port.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Dipen
New Contributor III

Yes ! You can use the same IP for Source NAT (IP Pool) and Destination NAT (Virtual IP). Similarly you can use the Gateway(interface) IP for HideNAT and as a Virtual IP as well.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Labels
Top Kudoed Authors