Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config firewall nat-snat

Use this command to configure source NAT (SNAT) rules.

You use SNAT when clients have IP addresses from private networks. This ensures you do not have multiple sessions from different clients with source IP 192.168.1.1, for example. Or, you can map all client traffic to a single source IP address because a source address from a private network is not meaningful to the FortiADC system or backend servers.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic. Be sure to configure the backend servers to use the FortiADC address as the default gateway so that server responses are also rewritten by the NAT module.

Note: This SNAT feature is not supported for traffic to virtual servers. Use the virtual server SNAT feature instead.

Before you begin:

  • You must have read-write permission for firewall settings.

Syntax

config firewall nat-snat

edit <name>

set from <ip&netmask>

set out-interface <datasource>

set status {enable | disable}

set to <ip&netmask>

set traffic-group <datasource>

set trans-to-type {ip | pool | no-nat}

set trans-to-ip <class_ip>

set trans-to-ip-start <class_ip>

set trans-to-ip-end <class_ip>

next

end

from

Address/mask notation to match the source IP address in the packet header. 0.0.0.0/0 matches all IP addresses.

out-interface

Interface that forwards traffic.

status

Enable or disable SNAT status.

to

Address/mask notation to match the destination IP address in the packet header. For example, 192.0.2.0/24.

traffic-group

Specify a traffic group configuration object.

trans-to-type

  • ip—Specify to translate the source IP to a single specified address.
  • pool—Specify to translate the source IP to the next address in a pool.
  • no-nat—Specify for no translation.

trans-to-ip

Specify an IPv4 address. The source IP address in the packet header will be translated to this address.

trans-to-ip-start

First IP address in the SNAT pool.

trans-to-ip-end

Last IP address in the SNAT pool.

Example

FortiADC-VM # config firewall nat-snat

FortiADC-VM (nat-snat) # edit fw-snat-example

Add new entry 'fw-snat-example' for node 1941

 

FortiADC-VM (fw-snat-example) # get

from : 0.0.0.0/0

to : 0.0.0.0/0

out-interface :

trans-to-type : ip

trans-to-ip : 0.0.0.0

traffic-group :

status : enable

 

 

FortiADC-VM (fw-snat-example) # set to 192.0.2.0/24

FortiADC-VM (fw-snat-example) # set out-interface port5

FortiADC-VM (fw-snat-example) # set trans-to-ip 192.0.2.10

 

FortiADC-VM (fw-snat-example) # get

from : 0.0.0.0/0

to : 192.0.2.0/24

out-interface : port5

trans-to-type : ip

trans-to-ip : 192.0.2.10

traffic-group :

status : enable

 

FortiADC-VM (fw-snat-example) # end

 

config firewall nat-snat

Use this command to configure source NAT (SNAT) rules.

You use SNAT when clients have IP addresses from private networks. This ensures you do not have multiple sessions from different clients with source IP 192.168.1.1, for example. Or, you can map all client traffic to a single source IP address because a source address from a private network is not meaningful to the FortiADC system or backend servers.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic. Be sure to configure the backend servers to use the FortiADC address as the default gateway so that server responses are also rewritten by the NAT module.

Note: This SNAT feature is not supported for traffic to virtual servers. Use the virtual server SNAT feature instead.

Before you begin:

  • You must have read-write permission for firewall settings.

Syntax

config firewall nat-snat

edit <name>

set from <ip&netmask>

set out-interface <datasource>

set status {enable | disable}

set to <ip&netmask>

set traffic-group <datasource>

set trans-to-type {ip | pool | no-nat}

set trans-to-ip <class_ip>

set trans-to-ip-start <class_ip>

set trans-to-ip-end <class_ip>

next

end

from

Address/mask notation to match the source IP address in the packet header. 0.0.0.0/0 matches all IP addresses.

out-interface

Interface that forwards traffic.

status

Enable or disable SNAT status.

to

Address/mask notation to match the destination IP address in the packet header. For example, 192.0.2.0/24.

traffic-group

Specify a traffic group configuration object.

trans-to-type

  • ip—Specify to translate the source IP to a single specified address.
  • pool—Specify to translate the source IP to the next address in a pool.
  • no-nat—Specify for no translation.

trans-to-ip

Specify an IPv4 address. The source IP address in the packet header will be translated to this address.

trans-to-ip-start

First IP address in the SNAT pool.

trans-to-ip-end

Last IP address in the SNAT pool.

Example

FortiADC-VM # config firewall nat-snat

FortiADC-VM (nat-snat) # edit fw-snat-example

Add new entry 'fw-snat-example' for node 1941

 

FortiADC-VM (fw-snat-example) # get

from : 0.0.0.0/0

to : 0.0.0.0/0

out-interface :

trans-to-type : ip

trans-to-ip : 0.0.0.0

traffic-group :

status : enable

 

 

FortiADC-VM (fw-snat-example) # set to 192.0.2.0/24

FortiADC-VM (fw-snat-example) # set out-interface port5

FortiADC-VM (fw-snat-example) # set trans-to-ip 192.0.2.10

 

FortiADC-VM (fw-snat-example) # get

from : 0.0.0.0/0

to : 192.0.2.0/24

out-interface : port5

trans-to-type : ip

trans-to-ip : 192.0.2.10

traffic-group :

status : enable

 

FortiADC-VM (fw-snat-example) # end