Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
New Contributor III

Static SNAT with using outgoing ip pool

Hi Everyone,

I just came here to clear my doubt as I don't have much experience in the fortigate firewall.

Let me tell you what I have done first-

In my organization, there is one server that is behind the LAN environment and needs internet services I just created one IP pool and policy with overload outgoing interface instead of outgoing interface -

Please see the below screenshot and clarify my doubt whether this method is good or not.

static snat with using overload ip pool.JPG

static snat with using overload ip pool.JPGStatic snat overload ip pool packet capture.JPG

I was able to ping from 10.1.1.3 to 8.8.8.8 so my configuration is good or not. or any method we can do.

 

thank you 

umesh prajapati

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor II

It's not good or bad. It's about what your strategy of routing those internet bound traffic through the FGT and then L3 router to the internet. Since most of your network is private subnets until hit the internet modem/router, your NATing at the FGT and the router are to hide the local subnets and show only outside/upstream interface IP or IP in the ippool to upstream device.

I wouldn't do any NAT though if you have admin access to L3 router and the internet modem/router. I would just set static route to all downstream subnets to download device. NAT takes some CPU time and memory. If not necessary, should be avoided.

 

But if you want to NAT it (twice) that would be fine too. And most importantly for you it's working. That's all you care, right?

 

Toshi

nageentaj
Staff
Staff

Hi Umesh,

 

There would be two ways to implement this.

1)In the concerned firewall policy You can define the "address object" in the source  address and enable NAT option so the outgoing traffic will take any wan interface (if you have multiple wan interface configured).

Address object : Define the server subnet / specific Ip address.

This method will NAT the source ip to the outgoing interface ipaddress.

 

2)The second method is the way you have configured is also correct, here the outgoing traffic will take the "Specific ip "as the outgoing interface defined in IP pool .

Your way of approach is good if you want to map the outgoing traffic to single ip address .