Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IT_ZD
New Contributor III

Created on ‎04-17-2024 08:10 AM Edited on ‎04-17-2024 08:14 AM

Migration of NAT/PAT rules from a Cisco ASA to a FortiGate FGT 40

Hello everyone,

 

I hope you are all doing well.

 

I would like to convert my Cisco ASA NAT/PAT rules to a FortiGate FGT40. Can you guide me? I've tried, but I can't seem to find the source and destination of the PAT on the FortiGate.

 

ASA Rule pic :

Nat.JPG

 

Where can I find these categories

 

Source interface

Destination interface

Source

Destination

Service

Source

Destination


Can I have example of a Cisco ASA NAT/PAT rule and its equivalent configuration in FortiGate, if possible of course.

 

Thx indvance.

 

Reagrds.

 

 

Labels:
1477
0 Kudos
7 REPLIES 7
johnathan
Staff
Staff

Created on ‎04-17-2024 08:23 AM

Here is an example of how FortiConverter handles converting the ASA NAT to the FortiGate NAT.
https://docs.fortinet.com/document/forticonverter/7.0.4/online-help/115689/cisco-pix-and-asa-nat-mer...
Hope this shines some more light on your question. If there is a specific query, let me know.

"Never trust a computer you can't throw out a window."
1464
0 Kudos
hbac
Staff
Staff

Created on ‎04-18-2024 07:27 AM

Hi @IT_ZD,

 

FortiGate has 2 NAT modes. Not sure which one you are using? Please check https://docs.fortinet.com/document/forticonverter-service/23.1.0/online-help/924520/policy-nat-vs-ce...

 

Regards, 

1395
0 Kudos
IT_ZD
New Contributor III
In response to hbac

Created on ‎04-18-2024 08:22 AM

Hello Hbac,

Thank you for your return.

 

I have two types, NAT and PAT, as shown in the screenshot.

 

Now on the FGt I have activated the centralNAT to have access to nat and ip pool + VIP (activated by default).

 

The problem is that on the ASA it's simple, you have all the options for configuring NAT/PAT, but on FGT it's a little complicated because I've never used them and you have to change location to find the other parameter.

 

Now, I installed the Offline forticonverter (Withoutlicense) and I converted the cfg ASA, is the information displayed correct ? Can I introduce them as they are on the FGT, respecting the interfaces (In/Out) of course?

 

Reagrds.

 

1386
0 Kudos
hbac
Staff
Staff
In response to IT_ZD

Created on ‎04-19-2024 07:32 AM

@IT_ZD,

 

Yes, it is different on FortiGate. Source NAT is under "Central SNAT" while Destination NAT is under "DNAT & Virtual IPs". I'm not sure if you can use FortiConverter without a license. But it should work if you map interfaces correctly. 

 

Regards, 

1360
0 Kudos
IT_ZD
New Contributor III

Created on ‎04-21-2024 06:55 AM

Hello Hbac,

 

Thank you for your return.

 

1- Should I add a new policies for the network source and destination by activating NAT/PAT?

2- Or activate NAT/PAT on already configured policies

3- Or not apply it to policies

 

Regards.

 

1333
0 Kudos
Dhruvin_patel
Staff
Staff

Created on ‎04-21-2024 07:37 AM

Greetings,

 

First of all, are you using policy NAT or Central NAT?

There are 2 NAT modes in FortiGate: policy NAT mode and central NAT mode. Policy NAT mode requires NATs to be configured inside firewall policies, which is the default mode that FortiGate uses. Central NAT mode separates NATs and policies into 2 independent modules so policies do not reference NAT objects.

 

If you use policy NAT, then enable the NAT in the firewall policy, like shown in this document: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/898655/static-snat

 

If you are using central NAT, then you have to create a separate rule for NAT, like https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/421028/central-snat

 

Policy NAT is the simplest way to achieve NATting. Simply enable the NAT in the firewall policy, no need to configure additional NAT policies. 

 

Select either way, it depends on the requirement. 

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible to others.

Dhruvin Patel
1328
0 Kudos
IT_ZD
New Contributor III
In response to Dhruvin_patel

Created on ‎05-28-2024 07:41 AM

Hello Dhruvin_patel,

 

Thank you for yout return and informations.

 

At the moment, the central NAT is activated, but I still can't reproduce the cisco NAT to the Fortinet.

Could you help me with translate this first line of the ASA (I'm attaching the image), knowing that the objects and groups have been created.

 

ASA:

Source Interface

Destination Interface

Source

Destination

Service

Source

Destination

Inter_F

Dja_S

SRV-SZZ

Dja-01

Any

NAT-SW

NAT-SA

 

Ragrds.

1083
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.