Skip to main content
Network_Engineer
Network_Engineer
Visitor III
April 22, 2022
Solved

Why is it that i can get nat to work in one direction?

  • April 22, 2022
  • 2 replies
  • 5713 views

i put the source nat as the private interface. 

I put the destination nat as the public interface.

Somehow the ping to the internet works.

Q1 Why is this so? Doesnt ping involve the return packet?

 

Q2 Dont I have to put source nat as public interface and destination nat as the private interface too?

 

Q3 Under what circumstances do you put a static route and not an NAT?

 

Q4 Why do some other products only have "nat enabled" but dont specify "ip nat inside" or "ip nat outside"?

 

 

Best answer by ede_pfau

hi,

when you enable NAT in a policy by crossing the checkbox, you apply source NAT. By default, the IP address of the outbound interface is used instead of the original address.

So, your rule 1 sends traffic to the internet with a source address of your WAN interface, which of course is routed back with no problems.

 

Rule 2 does not really make sense. Assuming that you use RFC1918 private addresses on your LAN, how would anybody on the 'net find your WAN router? Private addresses are not routed over internet routers, to avoid the ambiguity which would arise if 1000 users of an ISP use the range 192.168.1.x, for example.

So enabling NAT on rule 2 will have the effect that the original WAN address of inbound traffic is lost/replaced, but there won't be any inbound traffic in the first place.

 

And you don't need rule 2 at all. Traffic outbound through rule 1 will be answered and routed back to the WAN interface of your FGT. The FGT then looks up which policy might match, then, if that policy uses NAT, and if it does, it looks up the NAT table to reverse the address translation. So in short, for reply traffic you only need one outbound policy in general.

 

HTH.

2 replies

pminarik
Staff
pminarik
Staff
April 22, 2022

Hi, can you please post some config snippets to clarify what you configured?
It is not easy to guess what you "put" where with such ambiguous wording.

Network_Engineer
Network_EngineerAuthor
Visitor III
April 22, 2022

Hi,

It is a general NAT question.

Which part needs clarification? 

 

RuleSource interfaceDestination interfaceNAT
1LANWANEnabled
2WANLANEnabled

 

For Q1 and Q2, I put rule 1 in my firewall but I did not put rule 2.

I still can ping internet.

Why?

 

pminarik
Staff
pminarik
Staff
April 22, 2022

I think I understand now, thank you for clarifying the question.

 

FortiGate is a stateful firewall. It keeps track of traffic sessions and can identify whether inbound packets from outside match existing sessions initiated from inside->out in order to automatically allow them through.

You do not need a WAN->LAN policy because the FortiGate will recognize the incoming ECHO-reply as a response to the ECHO-request which was allowed by the LAN->WAN firewall policy when your local client tried to ping something on the internet. It will also automatically reverse the NAT-ing when it forwards the response back to the original client.

 

Further reading, if you're interested:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/61862/what-is-a-firewall

https://en.wikipedia.org/wiki/Stateful_firewall

ede_pfau
SuperUser
ede_pfauAnswer
SuperUser
April 22, 2022

hi,

when you enable NAT in a policy by crossing the checkbox, you apply source NAT. By default, the IP address of the outbound interface is used instead of the original address.

So, your rule 1 sends traffic to the internet with a source address of your WAN interface, which of course is routed back with no problems.

 

Rule 2 does not really make sense. Assuming that you use RFC1918 private addresses on your LAN, how would anybody on the 'net find your WAN router? Private addresses are not routed over internet routers, to avoid the ambiguity which would arise if 1000 users of an ISP use the range 192.168.1.x, for example.

So enabling NAT on rule 2 will have the effect that the original WAN address of inbound traffic is lost/replaced, but there won't be any inbound traffic in the first place.

 

And you don't need rule 2 at all. Traffic outbound through rule 1 will be answered and routed back to the WAN interface of your FGT. The FGT then looks up which policy might match, then, if that policy uses NAT, and if it does, it looks up the NAT table to reverse the address translation. So in short, for reply traffic you only need one outbound policy in general.

 

HTH.

    Terms & ConditionsAccessibility statement