Fortinet Fortigate-5000 series Administration Manual page 253

Firewall Virtual IP
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
If the NAT check box is not selected when building the firewall policy, the resulting
policy will perform destination network address translation (DNAT). DNAT accepts
packets from an external network that are intended for a specific destination IP
address, translates the destination address of the packets to a mapped IP
address on another hidden network, and then forwards the packets through the
FortiGate unit to the hidden destination network. Unlike in the previous examples,
the source address is not translated. Once on the hidden destination network, the
packets can arrive at their final destination.
Virtual IPs also translate the source IP address or addresses of return packets
from the source address on the hidden network to be the same as the destination
address of the originating packets.
Virtual IP ranges can be of almost any size and can translate addresses to
different subnets. Virtual IP ranges have the following restrictions:
• The mapped IP cannot include 0.0.0.0 or 255.255.255.255.
• The external IP cannot be 0.0.0.0 if the virtual IP type is static NAT and is
mapped to a range of IP addresses. Only load balance virtual IPs, and
static NAT virtual IPs mapped to a single IP address, support an external IP
of 0.0.0.0.
• Port mapping maps a range of external port numbers to a range of internal
port numbers. The number of ports in these two ranges must be equal.
Therefore, the external port must not be set so that its range exceeds
65535. For example, an internal range of 20 ports mapped from external
port 65530 is invalid as the last port in the range would be 65550.
• When port forwarding, the external IP range cannot include any interface IP
addresses.
• The mapped IP range must not include any interface IP addresses.
• Virtual IP name cannot be the same as any address name or address
group name.
• No duplicate entries or overlapping ranges are permitted.
In addition to binding the IP address or IP address range to the interface, the
virtual IP also contains all of the information required to map the IP address or IP
address range from the interface that receives the packets to the interface
connected to the same network as the actual IP address or IP address range.
You can create different kinds of virtual IPs, each of which can be used for a
different DNAT variation.
Virtual IPs
253