Description
The article describes a solution for the following scenario:
FGT external IP
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
Other external IP
The requirement is that all traffic from the Server to the Internet uses a different source IP than the FortiGate public IP. In this case, one or more public (external) IP addresses have been provided by the ISP, and the solution is based on IP Pool.
Solution
Example.
The following addresses are used in this example:
• FortiGate WAN interface (port1) external IP : 192.168.183.110
• Another IP address (192.168.183.111) is provided by the ISP and that must be used to source NAT the traffic of the Server : 10.160.1.10
External IP 192.168.183.110
10.160.1.10 port2 port1
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
Source NAT
to 192.168.183.111
CLI Configuration
# config system interface
edit "port1"
set ip 192.168.183.110 255.255.254.0
end
# config firewall ippool
edit "Server_EXT_IP"
set endip 192.168.183.111
set startip 192.168.183.111
end
# config firewall policy
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set ippool enable
set poolname "Server_EXT_IP"
set schedule "always"
set service "ANY"
set nat enable
end
|
Verification with a sniffer trace (on HTTP traffic for example).
FGT # diagnose sniffer packet any "port 80" 4
30.690038 port2 in 10.160.1.10.1310 -> 192.168.183.254.80: syn 2092282704
30.690106 port1 out 192.168.183.111.58810 -> 192.168.183.254.80: syn 2092282704
|
The output shows that the traffic egressing port1 is sourced with the IP address defined the IP Pool and Firewall Policy.
