see attachment for an overview of my scenario. Using Fortigate 92D on 5.4.1. Configuration was done via GUI.
I have one WAN interface with multiple public IP addresses available and a DMZ with a few servers that all listen on 443, plus SSLVPN listen on the primary address (10.10.10.116). I configured 4 additional secondary IP addresses on the WAN interface (10.10.10.117 - 10.10.10.120). I created VIPs to map those addresses to the internal addresses of my servers, and inbound IPv4 policies to allow traffic on those VIPs. Everything is working so far as intended.
Now I'm trying configure outbound NAT for those servers, and this is where I'm not sure which configuration would be considered best practice. I would like that all outbound traffic of each server is NATed to the same IP address that is used for the inbound VIPs (10.10.10.117 - 10.10.10.120).
[ul]I created 4 overload IP Pools (one for each external address)I created 4 IPv4 Policies DMZ -> WAN, from the internal IP addresses to any, NAT enabled using the corresponding IP PoolI placed those policies above less specific policies outbound NAT enabled policies[/ul]
Is this considered best practice? It seems to accomplish what I want, one dedicated external IP address for all inbound / outbound traffic per server on the same WAN interface.
I'm asking because I'm not sure if it's okay to configure an IP pool for the same IP address that is configured as a secondary IP address on an interface.
If I do not configure any secondary IP addresses on the interface and configure an overload IP pool e.g. for 10.10.10.126/32, I can't use this IP address as secondary IP address anymore, because I get the following error message (via GUI):
If I set the secondary IP first and create the IP pool later, I don't get an error message. So it seems that I have "tricked" the GUI by accident.
Any advice would be greatly appreciated!