Skip to main content
johnlloyd_13
johnlloyd_13
Explorer III
August 11, 2025
Question

Fortigate NAT and ACL

  • August 11, 2025
  • 2 replies
  • 637 views

hi,

i'm converting cisco ASA NAT and ACL config to FGT.

can someone confirm if items below are correct?

note i also used forticonverter, but it's not 100% accurate so doing this manually by hand.

 

1. if ACL has "ip" does it mean i allow "ALL_TCP" and "ALL_UDP" on the allowed services?

 

access-list acl_outside extended permit ip any host 172.16.8.4

 

2. for static identity NAT, do i use the vip config "arp-reply disable" and "set type load-balance"?

refer to link/recommendation.

these are used to "un-NAT" or exclude NAT for  the public IP on the ASA. these are for downstream customer device/CPE configured with pubic IP/WAN.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-VIP-creation-with-same-external-IP-and-mapped-IP/ta-p/190588

 

nat (inside,outside) source static 200.1.1.1 200.1.1.1

 

edit "nat_vip"
set extip 200.1.1.1
set mappedip 200.1.1.1
set extintf "any"
set arp-reply disable
set type load-balance

 

3.for DNAT FW policy, do i use "LAN" for source interface and "WAN" for destination interface?

this FW policy worked for me when i had moved an ASA with "twice NAT" config

 

nat (inside,outside) source static any any destination static obj_outside-ip obj_inside-ip net-to-net

 

edit DNAT 1
set srcintf "port 2"   <<<< INSIDE/LAN
set dstintf "port 1"   <<< OUTSIDE/WAN
set srcaddr "all"
set dstaddr "nat_vip"
set service "ALL"
set schedule "always"
set action accept
set nat disable

 

2 replies

Anthony_E
Staff
Anthony_E
Staff
August 13, 2025

Hello John,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
sjoshi
Staff
sjoshi
Staff
August 13, 2025

ACL with “ip” — In ASA, permit ip means all protocols, not just TCP and UDP. On FortiGate, that’s equivalent to using the ALL service (which covers TCP, UDP, ICMP, GRE, etc.), not ALL_TCP and ALL_UDP alone. If you only choose those two, you’ll drop non-TCP/UDP traffic.

Your VIP config is correct you can also refer below article to setup virtual IP in FortiGate
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configuration/ta-p/198143
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/70978/configuring-the-vip-to-access-the-remote-servers

Thanks, Salon
    johnlloyd_13
    johnlloyd_13Author
    Explorer III
    August 14, 2025

    hi,

     

    i'll update my config to allow SERVICE: ALL.

    thanks for confirming my NAT config.

    one last question, can FGT support DNAT (static NAT) and SNAT (PAT) on the same public IP address?

    the ASA had a static NAT and PAT referenced to the same IP and just wondering if the same is supported in a FGT?

    Terms & ConditionsAccessibility statement