How to create Static Nat Rule

Forum|Forum|11 years ago
September 12, 2014
5 replies
15813 views

Hello all, I need to create static Nat rule with port forwarding as following: source interface - IP - port number : LAN - 192.168.0.15/32 - TCP 6588 to target interface - IP - port number : WAN - 44.212.128.47/32 - TCP 6969 Can you guide me to do it? My config Fortigate 200 D forti OS 5.2 Thank you Georges

Jason_Loera

New Member

Hi Georges. Are you doing this through the GUI or CLI?

Christopher_McMullan

Staff

Do you want the target interface TCP 6969 as the destination port or the source port as it arrives at 44.212.128.47? If that is the source port, you can use a Central NAT table in a policy to define different behavior for 192.168.0.15 than for the rest of the subnet. If you want 6588 as the incoming destination port, and to have that translated to destionation port 6969, then I think you' ll have to use a VIP. Bind the VIP to LAN as the external interface, with the mapped IP and port being 44.212.128.47:6969, external port being 6588, and create a firewall policy. The CLI would roughly be: config firewall vip edit " 44-212-VIP" set extintf LAN set portforward enable set extport 6588 set mappedip 44.212.128.47 set mappedport 6969 end config firewall policy edit 0 set srcintf LAN set dstintf WAN set srcaddr all set dstaddr " 44-212-VIP" set schedule always set service ALL set action accept set nat enable end You' d need to target the FortiGate' s LAN IP as the destination instead of the public address, but this would translate the destination ports, if that is your goal.

Georges_OrwellAuthor

New Member

Hi Chris, In fact I shoud change our old Cisco ASA for Fortigate but there a lot of things I do not understand. I prefer to use the GUI on the ASA I see a SNAT rule as following: -------------------------------------------------- Original Interface: LAN Source address: 192.168.0.15/32 Translated Interface: WAN Use IP address: 44.212.128.47/32 Enable PAT: Original Port: TCP 6588 Translated Port: TCP 6969 ------------------------------------------------- That' s what I need to do but I don' t know how to do it. At this time I just configured the MGMT, LAN and WAN interfaces LAN :192.168.10.254/ 24 WAN: 44.212.128.2 WAN / 26 I need to know how that work to progress and to manage the firewall myself afterwards. This is the first time I configure myself a firewall fully. So I again ask you many questions Thank you and excuse me if my english is not verywell, i' m french. Georges

Christopher_McMullan

Staff

There' s no judgment here...my English is as terrible as my French! I still don' t know whether the Original/Translated Port is for the source or destination, but it now sounds more, at least for the IPs, like you want to translate the source. In this case, you could restrict the firewall policy to the one host as the source, and create an IP pool for the NATted outgoing source IP. If the original and translated ports are the source, you could forego the IP pool and do both translations (port and IP) with the Central NAT Table. If those two ports are the destination port which needs to be mapped, then you will need a combination of a VIP and an IP pool in the policy; the IP pool for SNAT, and the VIP for DNAT. Leave the external IP and mapped IP the same (both the public destination), but map the port.

TuncayBAS

Explorer

please vip set extint-any extip - 44.x.x.x. mappedip 44.x.x.x extport 6899 mapped port 6599 use and funny

Georges_OrwellAuthor

New Member

Thank you to both of you for your help. I will test to set this static NAT rule using VIRTUAL IP submenu from GUI. Georges.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded