Fortinet black logo

Administration Guide

SNAT policies with virtual wire pairs

SNAT policies with virtual wire pairs

Source NAT (SNAT) can be configured in IPv4 and IPv6 policies with virtual wire pair (VWP) interfaces, and between VWP interfaces when central NAT is enabled.

To configure a policy using SNAT and a VWP interface when central NAT is disabled:
  1. Create the VWP interface:
    config system virtual-wire-pair
        edit "test-vw-1"
            set member "port1" "port4"
        next
    end
  2. Create the IP pool. The IP pool must have a different subnet than the VWP peers.
    config firewall ippool
        edit "vwp-pool-1"
            set startip 172.16.222.99
            set endip 172.16.222.100
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 88
            set srcintf "port4"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
            set ippool enable
            set poolname "vwp-pool-1"
        next
    end
  4. Verify the IP pool functions as expected and traffic passes through:
    # diagnose sniffer packet any icmp 4
    interfaces=[any]
    filters=[icmp]
    23.438095 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request
    23.438126 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request
    23.438492 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply
    23.438501 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply
    24.439305 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request
    24.439319 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request
    24.439684 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply
    24.439692 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply
    
    8 packets received by filter
    0 packets dropped by kernel
To configure a SNAT between VWP interfaces when central NAT is enabled:
  1. Enable central NAT:
    config system settings
        set central-nat enable
    end
  2. Create the VWP interface:
    config system virtual-wire-pair
        edit "test-vw-1"
            set member "port1" "port4"
        next
    end
  3. Create the IP pool. The IP pool must have a different subnet than the VWP peers.
    config firewall ippool
        edit "vwp-pool-1"
            set startip 172.16.222.99
            set endip 172.16.222.100
        next
    end
  4. Configure the SNAT policy:
    config firewall central-snat-map
        edit 2
            set srcintf "port4"
            set dstintf "port1"
            set orig-addr "all"
            set dst-addr "all"
            set nat-ippool "vwp-pool-1"
        next
    end
  5. Configure the firewall policy:
    config firewall policy
        edit 90
            set srcintf "port4"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end

More Links

SNAT policies with virtual wire pairs

Source NAT (SNAT) can be configured in IPv4 and IPv6 policies with virtual wire pair (VWP) interfaces, and between VWP interfaces when central NAT is enabled.

To configure a policy using SNAT and a VWP interface when central NAT is disabled:
  1. Create the VWP interface:
    config system virtual-wire-pair
        edit "test-vw-1"
            set member "port1" "port4"
        next
    end
  2. Create the IP pool. The IP pool must have a different subnet than the VWP peers.
    config firewall ippool
        edit "vwp-pool-1"
            set startip 172.16.222.99
            set endip 172.16.222.100
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 88
            set srcintf "port4"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
            set ippool enable
            set poolname "vwp-pool-1"
        next
    end
  4. Verify the IP pool functions as expected and traffic passes through:
    # diagnose sniffer packet any icmp 4
    interfaces=[any]
    filters=[icmp]
    23.438095 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request
    23.438126 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request
    23.438492 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply
    23.438501 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply
    24.439305 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request
    24.439319 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request
    24.439684 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply
    24.439692 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply
    
    8 packets received by filter
    0 packets dropped by kernel
To configure a SNAT between VWP interfaces when central NAT is enabled:
  1. Enable central NAT:
    config system settings
        set central-nat enable
    end
  2. Create the VWP interface:
    config system virtual-wire-pair
        edit "test-vw-1"
            set member "port1" "port4"
        next
    end
  3. Create the IP pool. The IP pool must have a different subnet than the VWP peers.
    config firewall ippool
        edit "vwp-pool-1"
            set startip 172.16.222.99
            set endip 172.16.222.100
        next
    end
  4. Configure the SNAT policy:
    config firewall central-snat-map
        edit 2
            set srcintf "port4"
            set dstintf "port1"
            set orig-addr "all"
            set dst-addr "all"
            set nat-ippool "vwp-pool-1"
        next
    end
  5. Configure the firewall policy:
    config firewall policy
        edit 90
            set srcintf "port4"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end