Convert ASA Static NAT to Fortigate DNAT VIP

johnlloyd_13 · ‎03-04-2025

hi,

i need some help with ASA to FGT conversion. i used forticonverter but not confident of the output so i did this manually.

can someone confirm if below config conversion is correct? this is just a NAT between two internal networks.

!! ASA

interface Port-channel20.61
nameif outside
security-level 0
ip address 172.16.248.78 255.255.255.248

interface Port-channel20.60
nameif inside
security-level 100
ip address 172.16.248.70 255.255.255.248

object network obj-172.18.7.7
host 172.18.7.7
nat (outside,inside) static 172.29.13.1

route outside 172.18.7.0 255.255.255.0 172.16.248.77 1

route inside 172.29.0.0 255.255.0.0 172.16.248.69 1

-----

!! FGT

config firewall vip
edit "vip-172.29.13.1"
set extip 172.18.7.7
set mappedip "172.29.13.1"
set extintf "po20.60"
next

config firewall policy
edit 1
set srcintf "po20.61"
set dstintf "po20.60"
set srcaddr "all"
set dstaddr "vip-172.29.13.1"
set service "ALL"
set schedule "always"
set status enable
set action accept
set nat disable

Jean-Philippe_P · ‎03-06-2025

Hello johnlloyd_13,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Jean-Philippe - Fortinet Community Team

Jean-Philippe_P · ‎03-07-2025

Hello again,

The conversion from ASA to FortiGate using FortiConverter for a NAT between two internal networks appears mostly correct, but there are a few points to consider:

VIP Configuration: The `extip` should be the external IP address that is visible to the outside network, and `mappedip` should be the internal IP address. In your FortiGate configuration, it seems you have set `extip` as `172.18.7.7` and `mappedip` as `172.29.13.1`. Ensure these are correctly mapped as per your network design.
Firewall Policy: The policy should have `nat` enabled if you want to perform NAT. In your configuration, `set nat disable` is specified, which means NAT will not be performed. If NAT is required, change it to `set nat enable`.
Interface Names: Ensure that the interface names (`po20.60` and `po20.61`) match the actual interface names on your FortiGate device.
Routing: Ensure that the routing configurations on the FortiGate are set up to match the ASA's routing logic. This is not shown in your FortiGate configuration snippet.
Service and Address Objects: Ensure that any service or address objects used in the ASA configuration are correctly translated to FortiGate objects. Make sure to test the configuration in a controlled environment before deploying it in production to ensure it behaves as expected.

Hope it helps you, if not do not hesitate to tell us!

Jean-Philippe - Fortinet Community Team

johnlloyd_13 · ‎03-07-2025

hi,

thanks for the feedback!

i guess i'll rely and tweak the forticonverter output and test it out.

AEK · ‎03-07-2025

Hi John

I'm not used to ASA, but according to some Cisco docs, in your case the external IP 172.29.13.1 on the external interface 20.61 should be mapped to host 172.18.7.7 on the internal interface 20.60. So the VIP should be defined as follows:

config firewall vip
 edit "vip-172.29.13.1"
  set extip 172.29.13.1
  set mappedip 172.18.7.7
  set extintf "po20.61"
 next
end

The firewall rule looks fine.

AEK

Convert ASA Static NAT to Fortigate DNAT VIP

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website