Sunday, December 27, 2020

Foritgate - outbound SNAT IP translation?

TL;DR: is it possible to replace destination IP with another in Fortigate for a specific port range?

Sysadmin here from an MSP (i.e. AIO).

The issue: We have a local Avaya PBX and a remote Avaya PBX. The Local PBX need to communicate with the Remote PBX. I have control over the Fortigate at the local PBX and control over the local PBX itself. The issue is that the local PBX supports a H323 line to another PBX and only has an option for one IP that includes signaling and voice. The destination PBX has the function split.

Network setup: Remote PBX has 2 IP addresses - one for voice (RTP) and one for signaling (H323). Remote PBX talks to Local PBX via DNAT address (VIP in Fortigate) and there is an SNAT address for the Local PBX to Remote PBX (single one-to-one IP pool in fortigate and NAT on policy).

My hacky solution: add another rule for SNAT, but swap the destination IP to the Remote PBX if the ports are in the RTP range. Other Signaling traffic will use the original IP address and SNAT rule.

Except that I can't seem grasp how exactly to conigure SNAT IP translation. Is there such a thing at all?

The return path can use the same DNAT as before.



No comments:

Post a Comment