This article describes how to set up a 1-to-1 NAT to publish public or 'external' IP addresses for FortiADC resources, while ensuring the communication among servers on the internal network is on a private or 'internal' IP address range.

Typically, the connection to a 1-to-1 NAT succeeds when it comes from WAN but fails when the connection comes from a LAN.

Connections against a RealServer published with a 1-to-1 NAT solution.

The following topology is used in this article:

LAN-User

-> FADC -> Internet

LAN-WebServer

Perform the following steps to set up connection in the GUI:

- Go to Network -> NAT -> 1-to-1 NAT.

- Select Create New.

- Name
- External Interface  <- The WAN interface is typically configured here, allowing access from WAN to LAN. On this new VIP, set the LAN interface, even though the external Address Range may be a public-IP.
- External Address Range
- Mapped Address Range
- Port Forwarding
- Protocol [ TCP | UDP ]
- External Port Range
- Mapped Port Range
- Status

- Select Save

Alternatively, run the configuration below to set up the solution in the CLI:

# config firewall vip

edit "VIP-Object" <- Allows connection from WAN to LAN

set extif ISP3_JPN

set extip 14.8.0.20

set mappedip-min 172.20.3.1

set mappedip-max 172.20.3.1

set portforward enable

set extport 80

set mappedport-min 8080

set mappedport-max 8080

next

edit "VIP-Object__LAN-Connections" <- Allows connection from LAN to LAN

set extif VLAN801

set extip 14.8.0.20

set mappedip-min 172.20.3.1

set mappedip-max 172.20.3.1

set portforward enable

set extport 80

set mappedport-min 8080

set mappedport-max 8080

next

end

Verify the solution with a sniffer to ensure TCP 3-way handshake is completed on connection from WAN to VIP.

# diag sniffer packet any

interfaces=[any]

filters=[ host 1.0.16.1 ]

17.048154 port2 in 802.1Q vlan#14 P0

17.048059 ISP3_JPN in 1.0.16.1.51239 -> 14.8.0.20.80: syn 1625511015

17.048113 VLAN803 out 1.0.16.1.51239 -> 172.20.3.1.8080: syn 1625511015

17.048115 port3 out 802.1Q vlan#803 P0

17.048298 port3 in 802.1Q vlan#803 P0

17.048298 VLAN803 in 172.20.3.1.8080 -> 1.0.16.1.51239: syn 1308653961 ack 1625511016

17.048314 ISP3_JPN out 14.8.0.20.80 -> 1.0.16.1.51239: syn 1308653961 ack 1625511016

17.048316 port2 out 802.1Q vlan#14 P0

17.048733 port2 in 802.1Q vlan#14 P0

17.048733 ISP3_JPN in 1.0.16.1.51239 -> 14.8.0.20.80: ack 1308653962

17.048746 VLAN803 out 1.0.16.1.51239 -> 172.20.3.1.8080: ack 1308653962

17.048748 port3 out 802.1Q vlan#803 P0

Next, ensure TCP 3-way handshake is completed on connection from LAN to VIP:

# diagnose sniffer packet any ' host 14.8.0.20 or host 172.20.3.1 ' 4

interfaces=[any]

filters=[host 14.8.0.20 or host 172.20.3.1]

6.303633 port3 in 802.1Q vlan#801 P0

6.303528 VLAN801 in 172.20.1.10.51188 -> 14.8.0.20.80: syn 3829317182

6.303591 VLAN803 out 172.20.1.10.51188 -> 172.20.3.1.8080: syn 3829317182

6.303593 port3 out 802.1Q vlan#803 P0

6.303805 port3 in 802.1Q vlan#803 P0

6.303805 VLAN803 in 172.20.3.1.8080 -> 172.20.1.10.51188: syn 3629858734 ack 3829317183

6.303821 VLAN801 out 14.8.0.20.80 -> 172.20.1.10.51188: syn 3629858734 ack 3829317183

6.303822 port3 out 802.1Q vlan#801 P0

6.304305 port3 in 802.1Q vlan#801 P0

6.304305 VLAN801 in 172.20.1.10.51188 -> 14.8.0.20.80: ack 3629858735

6.304318 VLAN803 out 172.20.1.10.51188 -> 172.20.3.1.8080: ack 3629858735

6.304319 port3 out 802.1Q vlan#803 P0