Migration of NAT/PAT rules from a Cisco ASA to a FortiGate FGT 40

IT_ZD · ‎04-17-2024

Hello everyone,

I hope you are all doing well.

I would like to convert my Cisco ASA NAT/PAT rules to a FortiGate FGT40. Can you guide me? I've tried, but I can't seem to find the source and destination of the PAT on the FortiGate.

ASA Rule pic :

Where can I find these categories

Source interface

Destination interface

Source

Destination

Service

Source

Destination

Can I have example of a Cisco ASA NAT/PAT rule and its equivalent configuration in FortiGate, if possible of course.

Thx indvance.

Reagrds.

johnathan · ‎04-17-2024

Here is an example of how FortiConverter handles converting the ASA NAT to the FortiGate NAT.
https://docs.fortinet.com/document/forticonverter/7.0.4/online-help/115689/cisco-pix-and-asa-nat-mer...
Hope this shines some more light on your question. If there is a specific query, let me know.

hbac · ‎04-18-2024

Hi @IT_ZD,

FortiGate has 2 NAT modes. Not sure which one you are using? Please check https://docs.fortinet.com/document/forticonverter-service/23.1.0/online-help/924520/policy-nat-vs-ce...

Regards,

IT_ZD · ‎04-18-2024

Hello Hbac,

Thank you for your return.

I have two types, NAT and PAT, as shown in the screenshot.

Now on the FGt I have activated the centralNAT to have access to nat and ip pool + VIP (activated by default).

The problem is that on the ASA it's simple, you have all the options for configuring NAT/PAT, but on FGT it's a little complicated because I've never used them and you have to change location to find the other parameter.

Now, I installed the Offline forticonverter (Withoutlicense) and I converted the cfg ASA, is the information displayed correct ? Can I introduce them as they are on the FGT, respecting the interfaces (In/Out) of course?

Reagrds.

hbac · ‎04-19-2024

@IT_ZD,

Yes, it is different on FortiGate. Source NAT is under "Central SNAT" while Destination NAT is under "DNAT & Virtual IPs". I'm not sure if you can use FortiConverter without a license. But it should work if you map interfaces correctly.

Regards,

IT_ZD · ‎04-21-2024

Hello Hbac,

Thank you for your return.

1- Should I add a new policies for the network source and destination by activating NAT/PAT?

2- Or activate NAT/PAT on already configured policies

3- Or not apply it to policies

Regards.

Dhruvin_patel · ‎04-21-2024

Greetings,

First of all, are you using policy NAT or Central NAT?

There are 2 NAT modes in FortiGate: policy NAT mode and central NAT mode. Policy NAT mode requires NATs to be configured inside firewall policies, which is the default mode that FortiGate uses. Central NAT mode separates NATs and policies into 2 independent modules so policies do not reference NAT objects.

If you use policy NAT, then enable the NAT in the firewall policy, like shown in this document: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/898655/static-snat

If you are using central NAT, then you have to create a separate rule for NAT, like https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/421028/central-snat

Policy NAT is the simplest way to achieve NATting. Simply enable the NAT in the firewall policy, no need to configure additional NAT policies.

Select either way, it depends on the requirement.

Regards!

If you have found a solution, please like and accept it to make it easily accessible to others.

Dhruvin Patel