Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MartinSimi
New Contributor

Hide NAT with port forwarding towards internet

Hello,

 

Is it possible please to implement port forwarding towards internet on Forti running v6.2.7? All the guides mention only port forwarding from internet to your internal network, but we need to achieve opposite.

 

Customer is using Proxy which is on the internet and their servers are configured to use URL for this proxy and ports 80/443. The goal is that when the traffic is leaving internet facing Fortigate there should be classic hide NAT, but in addition we need to change the destination ports to 8081 and 8443.

 

Customer mentioned that when they originally set this up (we were running 5.6.2) there wasn't a way to achieve it via FW rule plus NAT only. Right now there is a workaround via Virtual Servers to achieve this, but we would like to get rid of those if possible.

 

Thank you.

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor III

I don't see any reason not to work for this simple SNAT+VIP with an in-to-out policy even 5.6 or older. Have you tried and found not working? You can easily set up a test policy with one test device's IP, like a laptop's, then run sniffer on the outgoing/internet port and/or flow debugging while sending HTTP(80)/HTTPS(443) traffic to check if the behavior is what you intended.

MartinSimi

Unfortunately I wasn't there when the previous engineer for some reason assumed it's not possible. So that got me doubting if there really is something which prevents to set it up in this way.

 

I probably won't be allowed to test it in production, so I will try to setup a lab and verify. Just wanted to check first if it should work.

 

Thank you.

MartinSimi
New Contributor

Ok, after I setup my lab I am starting to see the issue.

 

Thing is that under Virtual IP you are not allowed to do port-forwarding only, you have to specify also External and Mapped IP address, but we don't want that. We want simple hide NAT.

 

So is there really no way to achieve this setup? Hide NAT with port forwarding?

Labels
Top Kudoed Authors