Address - Fortinet FortiGate FortiGate-1000 Administration Manual

Address

Address
200
firewall policy command keywords and variables
Keywords and variables Description
natip
<address_ipv4mask>
You can add, edit, and delete firewall addresses as required. You can also organize
related addresses into address groups to simplify policy creation.
A firewall address can be configured with a name, an IP address, and a netmask, or a
name and IP address range.
You can enter an IP address and netmask using the following formats.
• x.x.x.x/x.x.x.x, for example 64.198.45.0/255.255.255.0
• x.x.x.x/x, for example 64.195.45.0/24
You can enter an IP address range using the following formats.
• x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
• x.x.x.[x-x], for example 192.168.110.[100-120]
• x.x.x.*, for example 192.168.110.* to represent all addresses on the subnet
This section describes:
• Address list
• Address options
• Configuring addresses
• Address group list
• Address group options
• Configuring address groups
01-28006-0009-20041105
Configure natip for a firewall policy
with action set to encrypt and with
outbound NAT enabled. Specify the IP
address and subnet mask to translate
the source address of outgoing
packets.
Set natip for peer to peer VPNs to
control outbound NAT IP address
translation for outgoing VPN packets.
If you do not use natip to translate IP
addresses, the source addresses of
outbound VPN packets are translated
into the IP address of the FortiGate
external interface. If you use natip, the
FortiGate unit uses a static mapping
scheme to translate the source
addresses of VPN packets into
corresponding IP addresses on the
subnet that you specify. For example, if
the source address in the encryption
policy is 192.168.1.0/24 and the natip is
172.16.2.0/24, a source address of
192.168.1.7 will be translated to
172.16.2.7
Firewall
Default Availability
All models.
0.0.0.0
0.0.0.0
Encrypt
policy, with
outbound
NAT
enabled.
Fortinet Inc.