mhrth
New Contributor III

Enabling NAT port forwarding

Hi, I am new to FortiGate Firewall. I created a VIP with port forwarding to one of our internal servers. Do I need to enable NAT in the firewall policy? If no, may I know why?

 

NAT.png

 

2 Solutions
akristof
Staff
Staff

Hello,

 

Thank you for your question. This NAT you are showing is related to SNAT. So this would SNAT the source IP address of the traffic. Usually, if the traffic is coming from internet, this is not needed. Usually, SNAT is enabled when the server, you are sending traffic has different gateway and not FortiGate, so you would SNAT the traffic to force reply back to FortiGate.

Here is KB related to VIP port-forwarding:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

Adrian

View solution in original post

ede_pfau
Esteemed Contributor III

More important here is that a VIP (for destination NAT) automatically does SNAT on reply traffic. Example:

you create a VIP mapping 5.6.7.8 (your WAN IP) to 192.168.14.4 (internal). The internal server answers and the VIP translates the source address back to the WAN IP 5.6.7.8.

 

Adding the NAT checkbox in the inbound policy would make the VIP use the internal interface address as source on inbound traffic, which would do no harm but would camouflage the original sender's IP address. All traffic to the internal server would appear to come from internal. Often, you prefer to know the external host's address for monitoring, statistics etc.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

4 REPLIES 4
akristof
Staff
Staff

Hello,

 

Thank you for your question. This NAT you are showing is related to SNAT. So this would SNAT the source IP address of the traffic. Usually, if the traffic is coming from internet, this is not needed. Usually, SNAT is enabled when the server, you are sending traffic has different gateway and not FortiGate, so you would SNAT the traffic to force reply back to FortiGate.

Here is KB related to VIP port-forwarding:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

Adrian
AlexC-FTNT
Staff
Staff

This image may help understand better:

AlexCFTNT_0-1645693542653.png

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
ede_pfau
Esteemed Contributor III

More important here is that a VIP (for destination NAT) automatically does SNAT on reply traffic. Example:

you create a VIP mapping 5.6.7.8 (your WAN IP) to 192.168.14.4 (internal). The internal server answers and the VIP translates the source address back to the WAN IP 5.6.7.8.

 

Adding the NAT checkbox in the inbound policy would make the VIP use the internal interface address as source on inbound traffic, which would do no harm but would camouflage the original sender's IP address. All traffic to the internal server would appear to come from internal. Often, you prefer to know the external host's address for monitoring, statistics etc.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Toshi_Esumi
Esteemed Contributor II

One very rare situation we had to set NAT on a VIP policy for a workaround, when a third party private network between our FGT and the end user web server was having a problem re-advertising the default route from the FGT. They don't have problem re-advertising the /30 interface subnet. We're still waiting for the problem to be resolved.

As the result the web server can't know the source IP where the access is coming from as Ede mentioned.

 

Toshi