Advanced Networking : NAT : Configuring SNAT
Configuring SNAT
You use source NAT (SNAT) when clients have IP addresses from private networks. This ensures you do not have multiple sessions from different clients with source IP, for example. Or, you can map all client traffic to a single source IP address because a source address from a private network is not meaningful to the FortiADC system or backend servers.
Figure 87 illustrates SNAT. The SNAT rule matches the source and destination IP addresses in incoming traffic to the ranges specified in the policy. If the client request matches, the system translates the source IP address to an address from the SNAT pool. In this example, a client with private address requests a resource from the virtual server address at (not the real server address; the real server address is not published). The two rule conditions match, so the system translates the source IP to the next address in the SNAT pool— SNAT rules do not affect destination addresses, so the destination address in the request packet is preserved.
The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic. Be sure to configure the backend servers to use the FortiADC address as the default gateway so that server responses are also rewritten by the NAT module.
Note: This SNAT feature is not supported for traffic to virtual servers. Use the virtual server SNAT feature instead.
Figure 87:  SNAT
Before you begin:
You must know the IP addresses your organization has provisioned for your NAT design.
You must have Read-Write permission for System settings.
To configure source NAT:
1. Go to Networking > NAT.
The configuration page displays the Source tab.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in Table 119.
4. Save the configuration.
5. Reorder rules, as necessary.
Table 119: Source NAT configuration
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
After you initially save the configuration, you cannot edit the name.
Address/mask notation to match the source IP address in the packet header. For example,
Address/mask notation to match the destination IP address in the packet header. For example,
Egress Interface
Interface that forwards traffic.
Translation Type
IP Address—Select to translate the source IP to a single specified address.
Pool—Select to translate the source IP to the next address in a pool.
Translation to IP Address
Specify an IPv4 address. The source IP address in the packet header will be translated to this address.
Pool Address Range
First IP address in the SNAT pool.
Last IP address in the SNAT pool.
After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.