Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎12-20-2024 08:15 AM

Article Id 365914

Technical Tip: Difference between DNAT(VIP) and Full Cone NAT

Description

This article explains the difference between DNAT(VIP) and Full Cone NAT.
Scope

FortiOS 7.6.0+
Solution

DNAT (VIP) and Full Cone NAT are Network Address Translation.

The DNAT (VIP) is a technique where external client/hosts are allowed to access services (HTTPs, RDP or any other application) hosted  behind the FortiGate.

Example of DNAT (VIP)

 

config firewall vip

    edit "VIP_DNAT"

        set uuid b4d25542-19d2-51ee-aa4d-842ac4cf1420

        set extip 192.168.1.200

        set mappedip "10.10.10.200"

        set extintf "any"

    next

end

 

Here the external IP address 192.168.1.200 is mapped to internal host 10.10.10.200

With the FortiWeb rule below, all the traffic to 192.168.1.200 will be translated to 10.10.10.200.

All the traffic will be forwarded, because the service is 'all'. If TCP 443 or TCP 22 is allowed, then FortiGate will forward only TCP 22 or TCP 443.

 

config firewall policy

edit 8

set name "Test_VIP_Rule"

set uuid 05228a82-beda-51ef-f0a9-e4a5d9b4c401

set srcintf "wan1"

set dstintf "lan"

set action accept

set srcaddr "all"

set dstaddr "VIP_DNAT"

set schedule "always"

set service "ALL"

next

end

 

 

With Full Cone NAT is introduced new functionality . When device behind FortiGate access resource on internet or another network, FortiGate assigns a SNAT (Source NAT) and port pair for the outgoing connection. After that FortiGate creates an expectation session for the SNAT and port pair. Any device can access this IP address and port pair. Full Cone NAT can be used for VOIP, because this makes easier external servers to initiate a connection to internal devices.

 

The Full Cone NAT on FortiGate is limited only for UDP protocol.

Example of the Full Cone NAT configuration:

 

IPpool config:

 

config firewall ippool

    edit "full_cone_nat"

        set type fixed-port-range

        set startip 10.191.19.160

        set endip 10.191.19.160

        set startport 1024

        set endport 1087

        set source-startip 192.168.1.2

        set source-endip 192.168.1.2

        set port-per-user 32

        set permit-any-host enable

    next

end

 

Firewall rule configuration:

 

    edit 1

        set name "FWrule_out"

        set uuid 3eb50ffe-b944-51ef-91a1-c86b753d39ad

        set srcintf "port2"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set auto-asic-offload disable

        set nat enable

        set ippool enable

        set poolname "full_cone_nat"

    next

 

The internal IP address is 192.168.1.2, and the SNAT IP address is 10.191.19.160.

Session from the internal client to the server on the internet:

 

session info: proto=17 proto_state=00 duration=2 expire=177 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=5

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty

statistic(bytes/packets/allow_err): org=87/3/1 reply=0/0/0 tuples=2

tx speed(Bps/kbps): 32/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.191.31.254/0.0.0.0

hook=post dir=org act=snat 192.168.1.2:59466->55.121.44.4:5221(10.191.19.160:1034)

hook=pre dir=reply act=dnat 55.121.44.4:5221->10.191.19.160:1034(192.168.1.2:59466)

misc=0 policy_id=1 pol_uuid_idx=15850 auth_info=0 chk_client_info=0 vd=0

serial=0002556e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id=00000000 ngfwid=n/a

npu_state=0x000101 no_offload

no_ofld_reason:  disabled-by-policy

 

Expected session:

 

session info: proto=17 proto_state=00 duration=7 expire=22 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=2

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=1 tunnel=/ vlan_cos=255/255

state=new f31

statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=0->4/4->0 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=dnat 0.0.0.0:0->10.191.19.160:1034(192.168.1.2:59466)

hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)

misc=0 policy_id=1 pol_uuid_idx=15850 auth_info=0 chk_client_info=0 vd=0

serial=0002556e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id=00000000 ngfwid=n/a

npu_state=0x000101 no_offload

no_ofld_reason:  new disabled-by-policy

 

session info: proto=17 proto_state=00 duration=7 expire=22 timeout=0 refresh_dir=both flags=00000000

socktype=0 sockport=0 av_idx=0 use=2

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255

state=new f31

statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=dnat 192.168.1.2:0->10.191.19.160:1034(192.168.1.2:0)

hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)

misc=0 policy_id=1 pol_uuid_idx=15850 auth_info=0 chk_client_info=0 vd=0

serial=0002556e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id=00000000 ngfwid=n/a

npu_state=0x000101 no_offload

no_ofld_reason:  new disabled-by-policy

 

Session from external client to FortiGate:

 

session info: proto=17 proto_state=00 duration=155 expire=1779 timeout=0 refresh_dir=both flags=00000000

socktype=0 sockport=0 av_idx=0 use=4

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=1 tunnel=/ vlan_cos=255/255

state=intree

statistic(bytes/packets/allow_err): org=87/3/0 reply=0/0/0 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=dnat 10.191.31.254:56474->10.191.19.160:1034(192.168.1.2:59466)

hook=post dir=reply act=snat 192.168.1.2:59466->10.191.31.254:56474(10.191.19.160:1034)

misc=0 policy_id=1 pol_uuid_idx=15850 auth_info=0 chk_client_info=0 vd=0

serial=0002556e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id=00000000 ngfwid=n/a

npu_state=0x000101 no_offload

no_ofld_reason:  disabled-by-policy

 

When the session from source IP 192.168.1.2 is allowed by the FortiWeb rule with Full Cone NAT, IPpool is terminated. After, the expected session is removed and the external host cannot access the 10.191.19.160.
1172
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.