IP Pools and Zones

Author
ShawnZA
Silver Member
  • Total Posts : 90
  • Scores: 11
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: offline
2020/03/23 21:31:29 (permalink)
0

IP Pools and Zones

Can one use IP Pools for SNAT with the source interfaces as a Zone and the destination as a physical interface? I did read that you can't use zones and IP Pools and was wondering if that is still the case? Or is it only the destination that can't be a zone, that I would understand.
"Internal Trusted" is a Zone containing two interfaces, destination is a vlan interface:

 
The vlan interface has an ip of 196.33.152.186/30 and next hop is 196.33.152.185.
 
dst-osfw-pri-mi-2543
IP Prefix: 196.33.152.184/30
  • FW IP: 196.33.152.186
  • PE IP: 196.33.152.185
  • So if I need to SNAT the traffic destined to 196.23.189.171 so that it looks like it's coming from 196.34.224.128/32 they would also need to have that (196.34.224.128/32) in their routing table pointing towards the fortigate right?
     
post edited by ShawnZA - 2020/03/23 21:33:19

Attached Image(s)

#1

5 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2031
    • Scores: 186
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IP Pools and Zones 2020/03/23 21:58:29 (permalink)
    5 (1)
    First, FGT's zone is just an "alias" to represent multiple interfaces with one name in policies. Nothing more than that, which is different from Palo Alto's zone, or Juniper SRX's zone, or some other server vased FWs as far as I know.
    Then SNAT with ippool shouldn't be affected if you use interfaces or zones for src/dst interfaces in policies. As a matter of fact we use zone for an outing interface on one of our FGTs while SNAT/ippool is applied to the policies.
    Is it not working?
    Of course if there is returning traffic toward the SNAT IP from the destination side, there needs to be a route on the other end to point the traffic destined to the SNAT IP to the real interface.
    #2
    ShawnZA
    Silver Member
    • Total Posts : 90
    • Scores: 11
    • Reward points: 0
    • Joined: 2018/04/02 23:31:22
    • Location: Cape Town
    • Status: offline
    Re: IP Pools and Zones 2020/03/23 22:11:17 (permalink)
    0
    Thanks for the info. It's not working at the moment but suspect the other company hasn't added the route back to me yet. If I remove the SNAT and just NAT it on the interface IP it works fine, so suspect it's the route that's missing on the other side.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2031
    • Scores: 186
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IP Pools and Zones 2020/03/23 22:26:04 (permalink)
    5 (1)
    If you run "flow debug" against the destination IP, you would see the SNAT is swapping the source IP before forwarding to the interface.
    #4
    ShawnZA
    Silver Member
    • Total Posts : 90
    • Scores: 11
    • Reward points: 0
    • Joined: 2018/04/02 23:31:22
    • Location: Cape Town
    • Status: offline
    Re: IP Pools and Zones 2020/03/24 00:04:19 (permalink)
    0
    Thanks, the flow does show it's changing the the source NAT to the correct IP, did this test over another source interface, can only do the test over the zone later today but suspect the issue is on the other side
     
    Telnet test to 196.23.189.171 on port 7805, so my side looks fine at least.
     

    post edited by ShawnZA - 2020/03/24 00:07:15

    Attached Image(s)

    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 2031
    • Scores: 186
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IP Pools and Zones 2020/03/24 09:00:48 (permalink)
    0
    No, as I said before, zone is just an alias and you can't use it for debugging or doesn't show. A FGT looks/shows flow on interfaces. That's the difference of zone from other vendor devices like Palo Alto, etc.
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5