Fortinet black logo

Administration Guide

SNAT policies with virtual wire pairs

SNAT policies with virtual wire pairs

Source NAT (SNAT) can be configured in IPv4 and IPv6 policies with virtual wire pair (VWP) interfaces.

To configure a policy using SNAT and a virtual wire pair:
  1. Create the virtual wire pair interface:
    config system virtual-wire-pair
        edit "test-vw-1"
            set member "port1" "port4"
        next
    end
  2. Create the IP pool. The IP pool must have a different subnet than the VWP peers:
    config firewall ippool
        edit "vwp-pool-1"
            set startip 172.16.222.99
            set endip 172.16.222.100
        next
    end
  3. Configure the policy:
    config firewall policy
        edit 88
            set srcintf "port4"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set ippool enableset poolname "vwp-pool-1"set nat enable
        next
    end
  4. Verify the IP pool functions as expected and traffic passes through:
    # diagnose sniffer packet any icmp 4
    interfaces=[any]
    filters=[icmp]
    23.438095 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request
    23.438126 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request
    23.438492 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply
    23.438501 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply
    24.439305 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request
    24.439319 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request
    24.439684 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply
    24.439692 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply
    
    8 packets received by filter
    0 packets dropped by kernel

SNAT policies with virtual wire pairs

Source NAT (SNAT) can be configured in IPv4 and IPv6 policies with virtual wire pair (VWP) interfaces.

To configure a policy using SNAT and a virtual wire pair:
  1. Create the virtual wire pair interface:
    config system virtual-wire-pair
        edit "test-vw-1"
            set member "port1" "port4"
        next
    end
  2. Create the IP pool. The IP pool must have a different subnet than the VWP peers:
    config firewall ippool
        edit "vwp-pool-1"
            set startip 172.16.222.99
            set endip 172.16.222.100
        next
    end
  3. Configure the policy:
    config firewall policy
        edit 88
            set srcintf "port4"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set ippool enableset poolname "vwp-pool-1"set nat enable
        next
    end
  4. Verify the IP pool functions as expected and traffic passes through:
    # diagnose sniffer packet any icmp 4
    interfaces=[any]
    filters=[icmp]
    23.438095 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request
    23.438126 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request
    23.438492 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply
    23.438501 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply
    24.439305 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request
    24.439319 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request
    24.439684 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply
    24.439692 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply
    
    8 packets received by filter
    0 packets dropped by kernel