Hi
I have an example statement
| nat (inside,outside) source static obj-192.168.1.1 obj- 78.5.6.7 |
As per my understanding, this will work both ways in ASA, means either 78.5.6.7 is the originator or 192.168.1.1, this rule will work for both in ASA ( correct me if I am wrong here )
So if my understanding is right, how can we achieve the same in fortinet? Does fortinet also works the same way i.e one static 1-1 rule will cover both directions or we have to configure one SNAT and a corresponding DNAT for this to work.
Hi
ASA time is a long time ago.
I understand your rule as follow:
if traffic forward from inside to outside interface with destination IP 78.5.6.7, the source IP are changing to 192.168.1.1
(But my I'm also wrong ;))
To achive this on Fortinet do the following:
1. Create an "Adress Pool" object (pool: 192.168.1.1 - 192.168.1.1)
2. Create a matching firewall policy (source: your Server IP, destination: 78.5.6.7, service: what do you need)
2a: activate NAT on the firewall policy and select your created "pool".
That's it, more or less. ;)
Hi,
One VIP statement should help cover 1-1 nat,
config firewall vip
edit "Test"
set extip 192.168.1.1
set mappedip 78.5.6.7
set extintf "any"
next
end
Best regards,
Jin
This will provide bidirectional 1-1 NAT ?
You still need to configure another policy for out-to-in direction and put the VIP "Test" in the destination address. In other words, you need to a pair of policies, one for SNAT in in-to-out direction and another for VIP in out-to-in direction because PIX/ASA's NAT is bidirectional by default if you don't specify "unidirectional".
Toshi
Just to add one more thing, the firewall is in policy based mode with central NAT enabled ( I don't know if this makes a difference or not but just sharing to avoid any confusion )
P.S when we say asa is bidirectional, it means 1-1 nat will work both ways no matter the originator ( as per my initial question )
hi Jamshaid,
Yes, the static VIP with 1-1 mapping will work both ways (similar to the ASA behavior).
I have tested this in my lab, but if I configure vip only than dnat works but traffic wont move inside to outside, only outside to inside works, i created a snat from inside to out and now both translations work.
config firewall central-snat-map
set srcintf "port2"
set dstintf "port1"
set orig-addr "obj-192.168.10.4"
set dst-addr "all"
set nat-ippool "78.5.6.7"
next
end
config firewall vip
set extip 78.5.6.7
set mappedip "192.168.10.4"
set extintf "any"
next
end
my policy
It depends what do you want to achive.
For outgoing traffic you need a S-NAT Rule:
- Create Policy and select your IP-Pool object
- this rule handle outgoing and incoming packets for a session initiate from inside
For incoming traffic you need another firewall policy with a VIP (virtual IP-Address) object
- Create a Virtual IP-address object (with matching external and internal IP)
- Create a reverse policy
- select for source your public IP and as destination your created VIP-object
config firewall vip
edit <VIP-name>
set extip <public IP>
set mappedip <internal IP>
set extintf "any"
next
end
config firewall policy
edit 0
set name "<Policy Name>"
set srcintf <Outside interface>
set dstintf <inside interface>
set action accept
set srcaddr "all" <!-- or definied source IP addresses -->
set dstaddr <your VIP Object>
set schedule "always"
set service <needed ports>
set logtraffic all
next
endHi
Well in theory I want to achieve bidrectional nat (like asa) in a single rule, but I think it is not possible with fortigate.
I have to make SNAT and DNAT
| User | Count |
|---|---|
| 2230 | |
| 1208 | |
| 770 | |
| 451 | |
| 360 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.
