Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Network_Engineer
New Contributor III

Why is it that i can get nat to work in one direction?

i put the source nat as the private interface. 

I put the destination nat as the public interface.

Somehow the ping to the internet works.

Q1 Why is this so? Doesnt ping involve the return packet?

 

Q2 Dont I have to put source nat as public interface and destination nat as the private interface too?

 

Q3 Under what circumstances do you put a static route and not an NAT?

 

Q4 Why do some other products only have "nat enabled" but dont specify "ip nat inside" or "ip nat outside"?

 

 

1 Solution
ede_pfau
Esteemed Contributor III

hi,

when you enable NAT in a policy by crossing the checkbox, you apply source NAT. By default, the IP address of the outbound interface is used instead of the original address.

So, your rule 1 sends traffic to the internet with a source address of your WAN interface, which of course is routed back with no problems.

 

Rule 2 does not really make sense. Assuming that you use RFC1918 private addresses on your LAN, how would anybody on the 'net find your WAN router? Private addresses are not routed over internet routers, to avoid the ambiguity which would arise if 1000 users of an ISP use the range 192.168.1.x, for example.

So enabling NAT on rule 2 will have the effect that the original WAN address of inbound traffic is lost/replaced, but there won't be any inbound traffic in the first place.

 

And you don't need rule 2 at all. Traffic outbound through rule 1 will be answered and routed back to the WAN interface of your FGT. The FGT then looks up which policy might match, then, if that policy uses NAT, and if it does, it looks up the NAT table to reverse the address translation. So in short, for reply traffic you only need one outbound policy in general.

 

HTH.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

4 REPLIES 4
pminarik
Staff
Staff

Hi, can you please post some config snippets to clarify what you configured?
It is not easy to guess what you "put" where with such ambiguous wording.

[ test signature, please ignore ]
Network_Engineer

Hi,

It is a general NAT question.

Which part needs clarification? 

 

RuleSource interfaceDestination interfaceNAT
1LANWANEnabled
2WANLANEnabled

 

For Q1 and Q2, I put rule 1 in my firewall but I did not put rule 2.

I still can ping internet.

Why?

 

pminarik

I think I understand now, thank you for clarifying the question.

 

FortiGate is a stateful firewall. It keeps track of traffic sessions and can identify whether inbound packets from outside match existing sessions initiated from inside->out in order to automatically allow them through.

You do not need a WAN->LAN policy because the FortiGate will recognize the incoming ECHO-reply as a response to the ECHO-request which was allowed by the LAN->WAN firewall policy when your local client tried to ping something on the internet. It will also automatically reverse the NAT-ing when it forwards the response back to the original client.

 

Further reading, if you're interested:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/61862/what-is-a-firewall

https://en.wikipedia.org/wiki/Stateful_firewall

[ test signature, please ignore ]
ede_pfau
Esteemed Contributor III

hi,

when you enable NAT in a policy by crossing the checkbox, you apply source NAT. By default, the IP address of the outbound interface is used instead of the original address.

So, your rule 1 sends traffic to the internet with a source address of your WAN interface, which of course is routed back with no problems.

 

Rule 2 does not really make sense. Assuming that you use RFC1918 private addresses on your LAN, how would anybody on the 'net find your WAN router? Private addresses are not routed over internet routers, to avoid the ambiguity which would arise if 1000 users of an ISP use the range 192.168.1.x, for example.

So enabling NAT on rule 2 will have the effect that the original WAN address of inbound traffic is lost/replaced, but there won't be any inbound traffic in the first place.

 

And you don't need rule 2 at all. Traffic outbound through rule 1 will be answered and routed back to the WAN interface of your FGT. The FGT then looks up which policy might match, then, if that policy uses NAT, and if it does, it looks up the NAT table to reverse the address translation. So in short, for reply traffic you only need one outbound policy in general.

 

HTH.


Ede

"Kernel panic: Aiee, killing interrupt handler!"