Fortinet black logo

Handbook

Configure source NAT

Configure source NAT

You use source NAT (SNAT) when clients have IP addresses from private networks. This ensures you do not have multiple sessions from different clients with source IP 192.168.1.1, for example. Or, you can map all client traffic to a single source IP address because a source address from a private network is not meaningful to the FortiADC system or backend servers.

SNAT illustrates SNAT. The SNAT rule matches the source and destination IP addresses in incoming traffic to the ranges specified in the policy. If the client request matches, the system translates the source IP address to an address from the SNAT pool. In this example, a client with private address 192.168.1.1 requests a resource from the virtual server address at 192.0.2.1 (not the real server address 10.0.0.1; the real server address is not published). The two rule conditions match, so the system translates the source IP to the next address in the SNAT pool—10.1.0.1. SNAT rules do not affect destination addresses, so the destination address in the request packet is preserved.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic. Be sure to configure the backend servers to use the FortiADC address as the default gateway so that server responses are also rewritten by the NAT module.

Note: This SNAT feature is not supported for traffic to virtual servers. Use the virtual server SNAT feature instead.

SNAT

Before you begin:

  • You must know the IP addresses your organization has provisioned for your NAT design.
  • You must have Read-Write permission for System settings.
To configure source NAT:
  1. Go to Networking > NAT.
  2. The configuration page displays the Source tab.

  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Source NAT configuration.
  5. Save the configuration.
  6. Reorder rules, as necessary.

Source NAT configuration

Settings Guidelines
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
Source Address/mask notation to match the source IP address in the packet header. For example, 192.0.2.0/24.
Destination Address/mask notation to match the destination IP address in the packet header. For example, 10.0.2.0/24.
Egress Interface Interface that forwards traffic.
Translation Type
  • IP Address—Select to translate the source IP to a single specified address.
  • Pool—Select to translate the source IP to the next address in a pool.
  • No NAT—Select to avoid translating the source IP.
Translation to IP Address

Note: This option applies only when the Translation Type is set to IP address.

Specify an IPv4 address. The source IP address in the packet header will be translated to this address.

Pool Address Range

Note: This option applies only when Translation Type is set to Pool.

Specify the first IP address in the SNAT pool.

No NAT

Note: This option applies only when Translation Type is set to No-NAT

To

Specify the last IP address in the SNAT pool.

Traffic Group

Select a traffic group. Otherwise, the system will use the default traffic group.

Reordering
After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.

Configure source NAT

You use source NAT (SNAT) when clients have IP addresses from private networks. This ensures you do not have multiple sessions from different clients with source IP 192.168.1.1, for example. Or, you can map all client traffic to a single source IP address because a source address from a private network is not meaningful to the FortiADC system or backend servers.

SNAT illustrates SNAT. The SNAT rule matches the source and destination IP addresses in incoming traffic to the ranges specified in the policy. If the client request matches, the system translates the source IP address to an address from the SNAT pool. In this example, a client with private address 192.168.1.1 requests a resource from the virtual server address at 192.0.2.1 (not the real server address 10.0.0.1; the real server address is not published). The two rule conditions match, so the system translates the source IP to the next address in the SNAT pool—10.1.0.1. SNAT rules do not affect destination addresses, so the destination address in the request packet is preserved.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic. Be sure to configure the backend servers to use the FortiADC address as the default gateway so that server responses are also rewritten by the NAT module.

Note: This SNAT feature is not supported for traffic to virtual servers. Use the virtual server SNAT feature instead.

SNAT

Before you begin:

  • You must know the IP addresses your organization has provisioned for your NAT design.
  • You must have Read-Write permission for System settings.
To configure source NAT:
  1. Go to Networking > NAT.
  2. The configuration page displays the Source tab.

  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Source NAT configuration.
  5. Save the configuration.
  6. Reorder rules, as necessary.

Source NAT configuration

Settings Guidelines
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
Source Address/mask notation to match the source IP address in the packet header. For example, 192.0.2.0/24.
Destination Address/mask notation to match the destination IP address in the packet header. For example, 10.0.2.0/24.
Egress Interface Interface that forwards traffic.
Translation Type
  • IP Address—Select to translate the source IP to a single specified address.
  • Pool—Select to translate the source IP to the next address in a pool.
  • No NAT—Select to avoid translating the source IP.
Translation to IP Address

Note: This option applies only when the Translation Type is set to IP address.

Specify an IPv4 address. The source IP address in the packet header will be translated to this address.

Pool Address Range

Note: This option applies only when Translation Type is set to Pool.

Specify the first IP address in the SNAT pool.

No NAT

Note: This option applies only when Translation Type is set to No-NAT

To

Specify the last IP address in the SNAT pool.

Traffic Group

Select a traffic group. Otherwise, the system will use the default traffic group.

Reordering
After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.