Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jamshaid
New Contributor II

Converting ASA static NAT to Fortinet

Hi 

 

I have an example statement 

nat (inside,outside) source static obj-192.168.1.1 obj- 78.5.6.7

 

As per my understanding, this will work both ways in ASA, means either 78.5.6.7 is the originator or 192.168.1.1, this rule will work for both in ASA ( correct me if I am wrong here )

 

So if my understanding is right, how can we achieve the same in fortinet? Does fortinet also works the same way i.e one static 1-1 rule will cover both directions or we have to configure one SNAT and a corresponding DNAT for this to work.

 

 

 

10 REPLIES 10
scan888
Contributor

Hi

ASA time is a long time ago.
I understand your rule as follow:
if traffic forward from inside to outside interface with destination IP 78.5.6.7, the source IP are changing to 192.168.1.1

(But my I'm also wrong ;))

 

To achive this on Fortinet do the following:

1. Create an "Adress Pool" object (pool: 192.168.1.1 - 192.168.1.1)

2. Create a matching firewall policy (source: your Server IP, destination: 78.5.6.7, service: what do you need)

2a: activate NAT on the firewall policy and select your created "pool".

 

That's it, more or less. ;)

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
jintrah_FTNT
Staff
Staff

Hi,

 

One VIP statement should help cover 1-1 nat,

 

config firewall vip
    edit "Test"
        set extip 192.168.1.1 
        set mappedip 78.5.6.7 
        set extintf "any"
    next
end  

 

Best regards,

Jin

Jamshaid

This will provide bidirectional 1-1 NAT ?

Toshi_Esumi
SuperUser
SuperUser

You still need to configure another policy for out-to-in direction and put the VIP "Test" in the destination address. In other words, you need to a pair of policies, one for SNAT in in-to-out direction and another for VIP in out-to-in direction because PIX/ASA's NAT is bidirectional by default if you don't specify "unidirectional".

 

Toshi

Jamshaid

Just to add one more thing, the firewall is in policy based mode with central NAT enabled ( I don't know if this makes a difference or not but just sharing to avoid any confusion )

 

P.S when we say asa is bidirectional, it means 1-1 nat will work both ways no matter the originator ( as per my initial question )

srajeswaran

hi Jamshaid,

Yes, the static VIP with 1-1 mapping will work both ways (similar to the ASA behavior).

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Jamshaid

I have tested this in my lab, but if I configure vip only than dnat works but traffic wont move inside to outside, only outside to inside works, i created a snat from inside to out and now both translations work. 

 

 

lab.png

 

config firewall central-snat-map

set srcintf "port2"
set dstintf "port1"
set orig-addr "obj-192.168.10.4"
set dst-addr "all"
set nat-ippool "78.5.6.7"
next
end

 

config firewall vip
set extip 78.5.6.7
set mappedip "192.168.10.4"
set extintf "any"
next
end

 

my policy 

 

policy.png

scan888

It depends what do you want to achive.

 

For outgoing traffic you need a S-NAT Rule:

- Create Policy and select your IP-Pool object

- this rule handle outgoing and incoming packets for a session initiate from inside

 

For incoming traffic you need another firewall policy with a VIP (virtual IP-Address) object

- Create a Virtual IP-address object (with matching external and internal IP)

- Create a reverse policy

- select for source your public IP and as destination your created VIP-object

 

config firewall vip
    edit <VIP-name>
        set extip <public IP>
        set mappedip <internal IP>
        set extintf "any"
    next
end
config firewall policy
    edit 0
        set name "<Policy Name>"
        set srcintf <Outside interface>
        set dstintf <inside interface>
        set action accept
        set srcaddr "all" <!-- or definied source IP addresses -->
        set dstaddr <your VIP Object>
        set schedule "always"
        set service <needed ports>
        set logtraffic all
    next
end
- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
Jamshaid
New Contributor II

Hi

 

Well in theory I want to achieve bidrectional nat (like asa) in a single rule, but I think it is not possible with fortigate.

 

I have to make SNAT and DNAT 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors