Chapter 2 FortiGate Fundamentals : Firewall components : Using virtual IPs for port forwarding and destination NAT

Using virtual IPs for port forwarding and destination NAT
Virtual IP addresses (VIPs) can be used when configuring security policies to translate IP addresses and ports of packets received by a network interface. When the FortiGate unit receives inbound packets matching a security policy whose Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets’ IP addresses with the virtual IP’s mapped IP address. Translating IP address using virtual IPs is also called destination NAT, or DNAT. Translating ports is also called port forwarding.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP pools configure dynamic translation of packets’ IP addresses based on the Destination Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets’ IP addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a NAT security policy.
Virtual IPs can specify translations of packets’ port numbers and/or IP addresses for both inbound and outbound connections. In Transparent mode, virtual IPs are available from the FortiGate CLI.

FortiOS Handbook, FortiOS 4.0 MR3
01-431-99686-20110916 · 16 September 2011
© 2011 Fortinet, Inc. All rights reserved.
Latest documentation:
Contact us: