Description | This article describes endpoint independent mapping NAT, and when it is required in the ADVPN environment. |
Scope | FortiGate v6.4 and v7.2. |
Solution |
NAT is everywhere in today’s networks, so also VPN deployed in Hub and Spoke manner with many customers leveraging on ADVPN’s ability to dynamically create and tear-down shortcuts from spoke to spoke to further optimize performance.
For this to happen, EIM-NAT plays an important role when a spoke behind NAT box needs to negotiate a shortcut with another spoke behind NAT box.
Endpoint-Independent Mapping Network Address Translation (EIM NAT) – is a NAT device that performs NAT in a way that, an endpoint with internal IP address and port (src-ip, src-port) is always SNATed to same translated source IP and translated source port (nat-src-ip, nat-src-port), irrespective of which destination (any External IP and port) the endpoint initiated traffic to.
Illustration:
endpoint (192.168.200.200, 65100) ---> SNATed (200.200.200.200, 65222) >>>> 8.8.8.8:443 endpoint (192.168.200.200, 65100) ---> SNATed (200.200.200.200, 65222) >>>> 8.8.8.8:80 endpoint (192.168.200.200, 65100) ---> SNATed (200.200.200.200, 65222) >>>> 8.8.8.8:53
Note: Endpoint is session-specific tuple on end host. TCP and UDP may have different endpoints on same end host.
With FortiGate running FortiOS 6.4 and above, the shortcut is possible between two spokes sitting behind the NAT box, but the NAT box needs to perform EIM-NAT. With FortiGate running FortiOS below 6.4, one of the spokes has to be without NAT (not sitting behind the NAT box) for shortcut negotiation to be successful. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.