Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Chris_Rowan
New Contributor

Created on ‎05-19-2011 11:40 AM

Virtual IP, NAT, PAT

I had to reconfigure a FG301B in NAT mode this morning. My first. We have about 50 FGs in operation, but they' re all in transparent mode bethind Cisco Pix firewalls. Since there was no Pix at the site I visited this morning, I opted to reconfigure the FG in NAT mode. I looked for the equivalent of PAT on the IP of the outside interface, but couldn' t find it. I fiddled around with the Virtual IP component (Firewall > Virtual IP) and the Central NAT Table (Firewall > Policy > Central NAT Table) but couldn' t figure it out. I finally just configured a policy and selcted " NAT" for the outbound policy and configured everything else pertty much as I had on all the other FGs in transparent mode. Much to my surprise, it worked. I' d really like someone to explain what' s going on, though. Is the FG running PAT on the IP of the outside interface now? I didn' t define a pool of addresses to run NAT on. We always do PAT on the IP of the outside interface on the Pixes. And what' s the Virtual IP component for, exactly?
----- Chris Rowan Instructional Technology Brownsville ISD Brownsville, TX
----- Chris Rowan Instructional Technology Brownsville ISD Brownsville, TX
Preview file
11 KB
2969
0 Kudos
2 REPLIES 2
rwpatterson
Valued Contributor III

Created on ‎05-19-2011 11:45 AM

OK, the Virtual IP is a destination NAT. People on the outside point to this to get to a server on the inside. The NAT (and NAT pool) is a source NAT (if used subnet-subnet) or a PAT if one IP is used on the outside. This is what the source nodes appear to be to the outside of the box. (stapler....)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1846
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎05-20-2011 12:00 AM

Manuals are for whimps. NOT. * headdesk * You' re really daring to put a high-tech device into production without having a clue...glad it worked. If you really want to know what you' ve configured get the " FortiOS Handbook" for your version of FortiOS from http://docs.fortinet.com . There is a simple worded, clear cut paragraph on nearly every feature of FortiOS rounded up by a lot of real world examples. The most common scenarios (like yours) can be found by a glance at the table of contents. Really, really recommended. It would' ve taken you half an hour to get a secure feeling of what you were doing. After all, a FGT is a security device not a toy.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1846
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.