Ip Pools And Dynamic Nat; Ip Pools For Firewall Policies That Use Fixed Ports; Source Ip Address And Ip Pool Address Matching - Fortinet FortiGate Series Administration Manual

IP pools

IP pools and dynamic NAT

IP Pools for firewall policies that use fixed ports

Source IP address and IP pool address matching

464
Use IP pools for dynamic NAT. For example, an organization might have purchased a
range of Internet addresses but has only one Internet connection on the external interface
of the FortiGate unit.
Assign one of the organization's Internet IP addresses to the external interface of the
FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from
the network to the Internet appear to come from this IP address.
For connections to originate from all the Internet IP addresses, add this address range to
an IP pool for the external interface. Then select Dynamic IP Pool for all policies with the
external interface as the destination. For each connection, the firewall dynamically selects
an IP address from the IP pool to be the source address for the connection. As a result,
connections to the Internet appear to be originating from any of the IP addresses in the IP
pool.
Some network configurations do not operate correctly if a NAT policy translates the source
port of packets used by the connection. NAT translates source ports to keep track of
connections for a particular service. Select fixed port for NAT policies to prevent source
port translation. However, selecting fixed port means that only one connection can be
supported through the firewall for this service. To be able to support multiple connections,
add an IP pool to the destination interface, and then select dynamic IP pool in the policy.
The firewall randomly selects an IP address from the IP pool and assigns it to each
connection. In this case the number of connections that the firewall can support is limited
by the number of IP addresses in the IP pool.
When the source addresses are translated to the IP pool addresses, one of the following
three cases may occur:
Scenario 1: The number of source addresses equals that of IP pool addresses
In this case, the FortiGate unit will always match the IP addressed one to one.
If you use fixed port in such a case, the FortiGate unit will preserve the original source
port. However, this may cause conflicts if more than one firewall policy uses the same IP
pool, or the same IP addresses are used in more than one IP pool.
Original address
192.168.1.1
192.168.1.2
......
192.168.1.254
Scenario 2: The number of source addresses is more than that of IP pool addresses
In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism.
If you use fixed port in such a case, the FortiGate unit preserves the original source port.
But conflicts may occur since users may have different sessions using the same TCP 5
tuples.
Original address
192.168.1.1
Change to
172.16.30.1
172.16.30.2
......
172.16.30.254
Change to
172.16.30.10
FortiGate Version 4.0 MR1 Administration Guide
Firewall Virtual IP
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback