Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jamshaid
New Contributor II

Created on ‎05-30-2023 11:17 PM

Converting ASA static NAT to Fortinet

Hi 

 

I have an example statement 

nat (inside,outside) source static obj-192.168.1.1 obj- 78.5.6.7

 

As per my understanding, this will work both ways in ASA, means either 78.5.6.7 is the originator or 192.168.1.1, this rule will work for both in ASA ( correct me if I am wrong here )

 

So if my understanding is right, how can we achieve the same in fortinet? Does fortinet also works the same way i.e one static 1-1 rule will cover both directions or we have to configure one SNAT and a corresponding DNAT for this to work.

 

 

 

Labels:
2761
0 Kudos
10 REPLIES 10
scan888
Contributor

Created on ‎05-30-2023 11:43 PM

Hi

ASA time is a long time ago.
I understand your rule as follow:
if traffic forward from inside to outside interface with destination IP 78.5.6.7, the source IP are changing to 192.168.1.1

(But my I'm also wrong ;))

 

To achive this on Fortinet do the following:

1. Create an "Adress Pool" object (pool: 192.168.1.1 - 192.168.1.1)

2. Create a matching firewall policy (source: your Server IP, destination: 78.5.6.7, service: what do you need)

2a: activate NAT on the firewall policy and select your created "pool".

 

That's it, more or less. ;)

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
2417
jintrah_FTNT
Staff
Staff

Created on ‎05-31-2023 12:32 AM

Hi,

 

One VIP statement should help cover 1-1 nat,

 

config firewall vip
    edit "Test"
        set extip 192.168.1.1 
        set mappedip 78.5.6.7 
        set extintf "any"
    next
end  

 

Best regards,

Jin

2407
0 Kudos
Jamshaid
New Contributor II
In response to jintrah_FTNT

Created on ‎05-31-2023 02:03 AM

This will provide bidirectional 1-1 NAT ?

2395
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-31-2023 01:08 AM Edited on ‎05-31-2023 01:10 AM

You still need to configure another policy for out-to-in direction and put the VIP "Test" in the destination address. In other words, you need to a pair of policies, one for SNAT in in-to-out direction and another for VIP in out-to-in direction because PIX/ASA's NAT is bidirectional by default if you don't specify "unidirectional".

 

Toshi

2403
0 Kudos
Jamshaid
New Contributor II
In response to Toshi_Esumi

Created on ‎05-31-2023 01:54 AM

Just to add one more thing, the firewall is in policy based mode with central NAT enabled ( I don't know if this makes a difference or not but just sharing to avoid any confusion )

 

P.S when we say asa is bidirectional, it means 1-1 nat will work both ways no matter the originator ( as per my initial question )

2395
0 Kudos
srajeswaran
Staff
Staff
In response to Jamshaid

Created on ‎05-31-2023 02:57 AM

hi Jamshaid,

Yes, the static VIP with 1-1 mapping will work both ways (similar to the ASA behavior).

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
2382
0 Kudos
Jamshaid
New Contributor II
In response to srajeswaran

Created on ‎05-31-2023 05:46 AM

I have tested this in my lab, but if I configure vip only than dnat works but traffic wont move inside to outside, only outside to inside works, i created a snat from inside to out and now both translations work. 

 

 

lab.png

 

config firewall central-snat-map

set srcintf "port2"
set dstintf "port1"
set orig-addr "obj-192.168.10.4"
set dst-addr "all"
set nat-ippool "78.5.6.7"
next
end

 

config firewall vip
set extip 78.5.6.7
set mappedip "192.168.10.4"
set extintf "any"
next
end

 

my policy 

 

policy.png

2372
0 Kudos
scan888
Contributor
In response to Jamshaid

Created on ‎05-31-2023 11:11 AM

It depends what do you want to achive.

 

For outgoing traffic you need a S-NAT Rule:

- Create Policy and select your IP-Pool object

- this rule handle outgoing and incoming packets for a session initiate from inside

 

For incoming traffic you need another firewall policy with a VIP (virtual IP-Address) object

- Create a Virtual IP-address object (with matching external and internal IP)

- Create a reverse policy

- select for source your public IP and as destination your created VIP-object

 

config firewall vip
    edit <VIP-name>
        set extip <public IP>
        set mappedip <internal IP>
        set extintf "any"
    next
end
config firewall policy
    edit 0
        set name "<Policy Name>"
        set srcintf <Outside interface>
        set dstintf <inside interface>
        set action accept
        set srcaddr "all" <!-- or definied source IP addresses -->
        set dstaddr <your VIP Object>
        set schedule "always"
        set service <needed ports>
        set logtraffic all
    next
end
- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
2361
0 Kudos
Jamshaid
New Contributor II
In response to scan888

Created on ‎05-31-2023 10:32 PM

Hi

 

Well in theory I want to achieve bidrectional nat (like asa) in a single rule, but I think it is not possible with fortigate.

 

I have to make SNAT and DNAT 

2348
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.