Fortinet black logo

Handbook

Configuring SNAT

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:958292
Download PDF

Configuring SNAT

Source Network Address Translation (SNAT) is an option available in transparent mode and configurable in CLI only, using the following commands:

config firewall ippool

edit "nat-out"

set endip 192.168.183.48

set startip 192.168.183.48

set interface vlan18_p3

next

end

config firewall policy

edit 3

set srcintf "vlan160_p2"

set dstintf "vlan18_p3"

set srcaddr "all"

set dstaddr "all"

set action accept

set ippool enable

set poolname "nat-out"

set schedule "always"

set service "ALL"

set nat enable

next

end

The sniffer trace below shows the source IP 192.168.182.93 being source translated to 192.168.183.48:

fgt300 (TP) # diagnose sniffer packet any "host 10.2.2.1" 4

interfaces=[any]

filters=[host 10.2.2.1]

4.891970 vlan160_p2 in 192.168.182.93 -> 10.2.2.1: icmp: echo request

4.892003 vlan18_p3 out 192.168.183.48 -> 10.2.2.1: icmp: echo request

4.892007 port3 out 192.168.183.48 -> 10.2.2.1: icmp: echo request

4.933216 vlan18_p3 in 10.2.2.1 -> 192.168.183.48: icmp: echo reply

4.933249 vlan160_p2 out 10.2.2.1 -> 192.168.182.93: icmp: echo reply

4.933253 port2 out 10.2.2.1 -> 192.168.182.93: icmp: echo reply

Configuring SNAT

Source Network Address Translation (SNAT) is an option available in transparent mode and configurable in CLI only, using the following commands:

config firewall ippool

edit "nat-out"

set endip 192.168.183.48

set startip 192.168.183.48

set interface vlan18_p3

next

end

config firewall policy

edit 3

set srcintf "vlan160_p2"

set dstintf "vlan18_p3"

set srcaddr "all"

set dstaddr "all"

set action accept

set ippool enable

set poolname "nat-out"

set schedule "always"

set service "ALL"

set nat enable

next

end

The sniffer trace below shows the source IP 192.168.182.93 being source translated to 192.168.183.48:

fgt300 (TP) # diagnose sniffer packet any "host 10.2.2.1" 4

interfaces=[any]

filters=[host 10.2.2.1]

4.891970 vlan160_p2 in 192.168.182.93 -> 10.2.2.1: icmp: echo request

4.892003 vlan18_p3 out 192.168.183.48 -> 10.2.2.1: icmp: echo request

4.892007 port3 out 192.168.183.48 -> 10.2.2.1: icmp: echo request

4.933216 vlan18_p3 in 10.2.2.1 -> 192.168.183.48: icmp: echo reply

4.933249 vlan160_p2 out 10.2.2.1 -> 192.168.182.93: icmp: echo reply

4.933253 port2 out 10.2.2.1 -> 192.168.182.93: icmp: echo reply