Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cwb2205
New Contributor

Central NAT and VIPs

Hi all,

 

Just after some clarification on Central NAT and VIPs. If I have several webservers on my DMZ interface and I want to NAT those with one-to-one nats to a bunch of external IPs i have on the WAN, am I best to have a WAN>DMZ CNAT rule and a DMZ>WAN CNAT rule to do the translation each way or do I use a VIP for the inbound nat and a CNAT rule to translate the DMZ > WAN?

 

Is there a difference in each way of doing this? why use a VIP over Central NAT rule for inbound traffic?

 

Thanks.

NSE 7 ATP3.0

NSE 7 ATP3.0
2 REPLIES 2
hubertzw
Contributor III

In central NAT in the firewall policy (6.0) or secure policy (6.2.x) as a destination you set local IP, not VIP.
zee
New Contributor

1) Am I best to have a WAN>DMZ CNAT rule and a DMZ>WAN CNAT rule to do the translation each way?

It depends.

Scenario#1

Server1---DMZ----FW--WAN--- Clients.

If the goal is to have clients to talks to Server, then you just need WAN>DMZ CNAT ( DST NAT) rule, as long as Clients initiate the session to servers, return traffic will be allowed .

On the other hand, if you have a need where SERVER can be a initiator of  session to Clients, you need DMZ>WAN CNAT ( SRC NAT).

 

If you have a need for both cases, you need NAT in both directions: WAN>DMZ CNAT ( DST NAT)  and DMZ>WAN CNAT ( SRC NAT).

 

2) Is there a difference in each way of doing this? why use a VIP over Central NAT rule for inbound traffic?

With out Central NAT, and using just VIP for inbound traffic, you will need multiple policies.

For example, if we have three servers : S1, S2, S3 in DMZ,  all these servers have internal IP addresses 10.10.10.1, 10.10.10.2, 10.10.10.3, and external IP addresses 199.199.199.1, 199.199.199.2, 199.199.3.

We will need three security policies to allow the above flows from external to DMZ in case of VIP

On the other hand, if we are using Central NAT, we can use single security policy . So obvious reason is scale ability.

 

Thanks 

 

 

 

 

 

 

 

Labels
Top Kudoed Authors