Fortinet Fortigate-5000 series Administration Manual page 252

Virtual IPs Firewall Virtual IP
The packets sent from the client computer have a source IP of 192.168.37.55 and
a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its
external interface. The virtual IP settings indicate a mapping from 192.168.37.4 to
10.10.10.42 so the packets' addresses are changed. The source address is
changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The
FortiGate unit makes a note of this translation in the firewall session table it
maintains internally. The packets are then sent on their way and arrive at the
server computer.
Figure 147:Example of packet address remapping during NAT from client to server.
Note that the client computer's address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no
reference to the client computer's network. The server has no indication another
network exists. As far as the server can tell, all the communication is coming
directly from the FortiGate unit.
When the server answers the client computer, the procedure works the same way
but in the other direction. The server sends its response packets having a source
IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The
FortiGate unit receives these packets at its internal interface. This time however,
the firewall session table entry is used to determine what the destination address
will be translated to.
In this example, the source address is changed to 192.168.37.4 and the
destination is changed to 192.168.37.55. The packets are then sent on their way
and arrive at the client computer.
The server computer's address does not appear in the packets the client receives.
After the FortiGate unit translates the network addresses, there is no reference to
the server computer's network. The client has no indication the server's private
network exists. As far as the client is concerned, the FortiGate unit is the web
server.
Figure 148:Example of packet address remapping during NAT from server to client.
Note: Virtual IPs are not available or required in transparent mode.
A Virtual IP can be a single IP address or an IP address range bound to a
FortiGate unit interface. When you bind an IP address or IP address range to a
FortiGate unit interface using a virtual IP, the interface responds to ARP requests
for the bound IP address or IP address range.
FortiGate Version 3.0 MR4 Administration Guide
252 01-30004-0203-20070102