Fortigate – Changing outbound nat IP with IP Pools
April 12, 2016
Posted by on
Sometimes it is necessary to change IP address used to talk with the internet that the internal client is using. For instance it is always important to make sure your SMTP server is using the same outbound IP used for inbound traffic. I have seen this cause a good many mail servers to be blacklisted by ISPs. In the following entry we will change the IP the client is using for outbound nat.
This technique has many awesome benefits, you can nat into this IP (IP pool) only when going to a certain destination.. etc. For example, if you had to change your source IP when accessing a destination across a VPN tunnel. That example might be very important in a medical field where I have found you almost always have to nat your private traffic to a public address when accessing the VPN hosts.
The internal client address is 10.64.16.10, external IP is 220.127.116.11. In this example I only want this one internal client to be natted out of 18.104.22.168
So we have to create a Virtual IP pool . We create the Virtual IP pool by going to Policy and objects – objects – IP Pools
We then can setup the pool. Notice the options
– Overload allows PAT, so many ip addresses, to one public.
– One-to-One allows one IP to that public IP
– We also have the option to nat into a Public Range of addresses
We also want this device to answer VIA Arp for 22.214.171.124
Now lets create our IPv4 Policy to allow our private IP address to be allowed to the internet (WAN1) and to be natted VIA this IP pool. I created the address object for my private host already.
So after creating our IPV4 policy, we have one thing left to do – make sure this is one of our first policies hit when 10.16.64.10 tries to access the internet. So lets make sure its at the top of our list, or at least above our default nat rule.
That’s it! if you now go to a site such as ipchicken.com or whatismyip.com you will see 126.96.36.199 if you are coming from 10.16.64.10.