As per my understanding, this will work both ways in ASA, means either 188.8.131.52 is the originator or 192.168.1.1, this rule will work for both in ASA ( correct me if I am wrong here )
So if my understanding is right, how can we achieve the same in fortinet? Does fortinet also works the same way i.e one static 1-1 rule will cover both directions or we have to configure one SNAT and a corresponding DNAT for this to work.
You still need to configure another policy for out-to-in direction and put the VIP "Test" in the destination address. In other words, you need to a pair of policies, one for SNAT in in-to-out direction and another for VIP in out-to-in direction because PIX/ASA's NAT is bidirectional by default if you don't specify "unidirectional".
I have tested this in my lab, but if I configure vip only than dnat works but traffic wont move inside to outside, only outside to inside works, i created a snat from inside to out and now both translations work.
config firewall central-snat-map
set srcintf "port2" set dstintf "port1" set orig-addr "obj-192.168.10.4" set dst-addr "all" set nat-ippool "184.108.40.206" next end
config firewall vip set extip 220.127.116.11 set mappedip "192.168.10.4" set extintf "any" next end
- this rule handle outgoing and incoming packets for a session initiate from inside
For incoming traffic you need another firewall policy with a VIP (virtual IP-Address) object
- Create a Virtual IP-address object (with matching external and internal IP)
- Create a reverse policy
- select for source your public IP and as destination your created VIP-object
config firewall vip
set extip <public IP>
set mappedip <internal IP>
set extintf "any"
config firewall policy
set name "<Policy Name>"
set srcintf <Outside interface>
set dstintf <inside interface>
set action accept
set srcaddr "all" <!-- or definied source IP addresses -->
set dstaddr <your VIP Object>
set schedule "always"
set service <needed ports>
set logtraffic all
- Have you found a solution? Then give your helper a "Like" and mark the solution.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.