Hello everyone,
I hope you are all doing well.
I would like to convert my Cisco ASA NAT/PAT rules to a FortiGate FGT40. Can you guide me? I've tried, but I can't seem to find the source and destination of the PAT on the FortiGate.
ASA Rule pic :
Where can I find these categories
Source interface
Destination interface
Source
Destination
Service
Source
Destination
Can I have example of a Cisco ASA NAT/PAT rule and its equivalent configuration in FortiGate, if possible of course.
Thx indvance.
Reagrds.
Here is an example of how FortiConverter handles converting the ASA NAT to the FortiGate NAT.
https://docs.fortinet.com/document/forticonverter/7.0.4/online-help/115689/cisco-pix-and-asa-nat-mer...
Hope this shines some more light on your question. If there is a specific query, let me know.
Hi @IT_ZD,
FortiGate has 2 NAT modes. Not sure which one you are using? Please check https://docs.fortinet.com/document/forticonverter-service/23.1.0/online-help/924520/policy-nat-vs-ce...
Regards,
Hello Hbac,
Thank you for your return.
I have two types, NAT and PAT, as shown in the screenshot.
Now on the FGt I have activated the centralNAT to have access to nat and ip pool + VIP (activated by default).
The problem is that on the ASA it's simple, you have all the options for configuring NAT/PAT, but on FGT it's a little complicated because I've never used them and you have to change location to find the other parameter.
Now, I installed the Offline forticonverter (Withoutlicense) and I converted the cfg ASA, is the information displayed correct ? Can I introduce them as they are on the FGT, respecting the interfaces (In/Out) of course?
Reagrds.
Yes, it is different on FortiGate. Source NAT is under "Central SNAT" while Destination NAT is under "DNAT & Virtual IPs". I'm not sure if you can use FortiConverter without a license. But it should work if you map interfaces correctly.
Regards,
Hello Hbac,
Thank you for your return.
1- Should I add a new policies for the network source and destination by activating NAT/PAT?
2- Or activate NAT/PAT on already configured policies
3- Or not apply it to policies
Regards.
Greetings,
First of all, are you using policy NAT or Central NAT?
There are 2 NAT modes in FortiGate: policy NAT mode and central NAT mode. Policy NAT mode requires NATs to be configured inside firewall policies, which is the default mode that FortiGate uses. Central NAT mode separates NATs and policies into 2 independent modules so policies do not reference NAT objects.
If you use policy NAT, then enable the NAT in the firewall policy, like shown in this document: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/898655/static-snat
If you are using central NAT, then you have to create a separate rule for NAT, like https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/421028/central-snat
Policy NAT is the simplest way to achieve NATting. Simply enable the NAT in the firewall policy, no need to configure additional NAT policies.
Select either way, it depends on the requirement.
Regards!
If you have found a solution, please like and accept it to make it easily accessible to others.
Hello Dhruvin_patel,
Thank you for yout return and informations.
At the moment, the central NAT is activated, but I still can't reproduce the cisco NAT to the Fortinet.
Could you help me with translate this first line of the ASA (I'm attaching the image), knowing that the objects and groups have been created.
ASA:
Source Interface | Destination Interface | Source | Destination | Service | Source | Destination |
Inter_F | Dja_S | SRV-SZZ | Dja-01 | Any | NAT-SW | NAT-SA |
Ragrds.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.