Problem
How to configure dynamic source address translation NAT to allow users on a private internal network connect to the Internet when you have more than one external IP address and you want outgoing packets to use some or all of these addresses.
Solution
Use dynamic source address translation when you have more than one external IP address and you want outgoing packets to use some or all of these addresses. To get the FortiGate unit to use more than one IP address for source NAT, you add the addresses to an IP pool. This example uses an IP pool containing only 3 IP addresses: 172.20.120.[13-15]. Then you add a security policy and select Use Dynamic IP Pool.
1Go to Firewall Objects > Virtual IP > IP Pool and select Create New to add the following IP pool.
Name
|
Dynamic-Source
|
IP Range/Subnet
|
172.20.120.13-172.20.120.15
|
2Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet.
Source Interface/Zone
|
internal
|
Source Address
|
all
|
Destination Interface/Zone
|
wan1
|
Destination Address
|
all
|
Schedule
|
always
|
Service
|
ANY
|
Action
|
ACCEPT
|
3Select Enable NAT and Use Dynamic IP Pool and select the Dynamic-Source IP Pool.
4Select OK to save the security policy.
Results
All packets accepted by this security policy have their source IP addresses translated from a private IP address on the 192.168.1.0 network to one of the IP addresses in the IP pool. (172.20.120.[13-15]). As well, the source port is translated to a random source port. The destination IP address and destination port are not changed.
Test dynamic source NAT by browsing a website on the Internet from multiple IP addresses on the internal network. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 8
interfaces=[any]
filters=[port 80]
4.893372 internal in 192.168.1.120.4806 -> 172.20.120.101.80: syn 1222685135
4.893644 wan1 out 172.20.120.14.45642 -> 172.20.120.101.80: syn 1222685135
4.893855 wan1 in 172.20.120.101.80 -> 172.20.120.14.45642: syn 3955257209 ack 1222685136
4.894016 internal out 172.20.120.101.80 -> 192.168.1.120.4806: syn 3955257209 ack 1222685136
4.559945 internal in 192.168.1.110.4834 -> 172.20.120.101.80: syn 2817814036
4.560189 wan1 out 172.20.120.13.49774 -> 172.20.120.101.80: syn 2817814036
4.562207 wan1 in 172.20.120.101.80 -> 172.20.120.13.49774: syn 1591702338 ack 2817814037
4.562383 internal out 172.20.120.101.80 -> 192.168.1.110.4834: syn 1591702338 ack 2817814037
•The first four output lines show a session from IP address 192.168.1.120 where the source IP address has been translated to 172.20.120.14.
•The next four output lines show a session from IP address 192.168.1.110 where the source IP address has been translated to 172.20.120.13.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.
Blogger Comment
Facebook Comment