SNAT policies with virtual wire pairs
Source NAT (SNAT) can be configured in IPv4 and IPv6 policies with virtual wire pair (VWP) interfaces, and between VWP interfaces when central NAT is enabled.
To configure a policy using SNAT and a VWP interface when central NAT is disabled:
- Create the VWP interface:
config system virtual-wire-pair edit "test-vw-1" set member "port1" "port4" next end
- Create the IP pool. The IP pool must have a different subnet than the VWP peers.
config firewall ippool edit "vwp-pool-1" set startip 172.16.222.99 set endip 172.16.222.100 next end
- Configure the firewall policy:
config firewall policy edit 88 set srcintf "port4" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable set ippool enable set poolname "vwp-pool-1" next end
- Verify the IP pool functions as expected and traffic passes through:
# diagnose sniffer packet any icmp 4 interfaces=[any] filters=[icmp] 23.438095 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request 23.438126 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request 23.438492 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply 23.438501 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply 24.439305 port4 in 172.16.200.11 -> 172.16.200.156: icmp: echo request 24.439319 port1 out 172.16.222.100 -> 172.16.200.156: icmp: echo request 24.439684 port1 in 172.16.200.156 -> 172.16.222.100: icmp: echo reply 24.439692 port4 out 172.16.200.156 -> 172.16.200.11: icmp: echo reply 8 packets received by filter 0 packets dropped by kernel
To configure a SNAT between VWP interfaces when central NAT is enabled:
- Enable central NAT:
config system settings set central-nat enable end
- Create the VWP interface:
config system virtual-wire-pair edit "test-vw-1" set member "port1" "port4" next end
- Create the IP pool. The IP pool must have a different subnet than the VWP peers.
config firewall ippool edit "vwp-pool-1" set startip 172.16.222.99 set endip 172.16.222.100 next end
- Configure the SNAT policy:
config firewall central-snat-map edit 2 set srcintf "port4" set dstintf "port1" set orig-addr "all" set dst-addr "all" set nat-ippool "vwp-pool-1" next end
- Configure the firewall policy:
config firewall policy edit 90 set srcintf "port4" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next end