blackmail88
New Contributor

STATIC NAT

hi guys,

 

recently i have a job to migrate from ASA firewall to Fortigate. and now im facing a problem that might be simple to be done in ASA but not in Fortigate (for my view of course) hehehe... 

 

so. in the existing ASA there is a NAT configuration like following :

 

object network IT-A

host 192.168.1.1

nat (inside, DMZ) static 172.16.1.10

 

object network IT-A-1

host 192.168.1.1

nat (inside,outside) static 202.134.8.x

 

then i tried to config my fortigate that have a same function as above command on ASA using Virtual IP, but i always got error, it said something like "duplicate entry ..."

 

is there any way to have a same configuration as ASA on fortigate ?

 

thanks  

2 REPLIES 2
Camshaft007
New Contributor

Couldn't you use a VIP for this?

config firewall vip
    edit "IT_A"
        set extip "202.134.8.x"
        set extintf "any"
        set mappedip "172.16.x.x"
    next
end

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

ede_pfau
Esteemed Contributor III

hi,

 

sorry, missed your post.

 

What you are looking for is "source NAT". For example, a 192.168.1.10 source address will be translated to 208.x.y.z when traversing from 'inside' to 'outside'.

This is done via "IP pools" in FortiOS. For the example, it is sufficient to tick "NAT" in the policy which allows sessions from 'inside' to 'WAN'. Then the (current) WAN interface address will be used for source NAT.

If you want to have full control over the source address then create an IP pool and specify it's name in the policy.

 

Please have a look at the concept in the 'FortiOS Handbook', available for download at docs.fortinet.com . You'll see it's quite easy once you get the grasp of it.


Ede

"Kernel panic: Aiee, killing interrupt handler!"