Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anandhubs
New Contributor II

NAT in internal policy

In a 81e fortigate firewall Nat is enabled between the policy created between port 1 and port 1 which are internal networks.Can anyone explain the working of NAT in that policy.

1 Solution
kvimaladevi

Hi anandhubs,

 

Usually a NAT is to translate the source or destination IP address of a client or server on the network interface. When you enable NAT on the policy, the traffic will get Natted with the IP address of the outgoing interface and the receiver will not be able to see the exact source IP. 

If you have added any IP pool in the policy rather than choosing "Outgoing Interface Address", the traffic will be Natted with the IP in the configured Pool.

Regards,

Vimala

View solution in original post

7 REPLIES 7
tthrilok
Staff
Staff

Hi Anand,

 

Thank you for your query!

 

I understand you want to what happens with NAT when you created a policy from and to as same is it?

Could you please confirm if the source and destination both are in the same network?

Could you please also elaborate what is the purpose of creating a policy with source and destination interface as same?

 

anandhubs
New Contributor II

they are two different private networks.one is starting with 192.168 and other one is 10.168.incoming interface is port 1 and outgoing interface is port 2.

 they created two policies with same source ips and destination ips and in one policy they enabled NAT.

 both the policies are working.

the policy in which they enabled NAT, destination ips are created as a group.that is the only difference.

 

tthrilok
Staff
Staff

Hi Anand,

 

Your update is noted, so I understand you have created two policies:

Where source interface, destination interface, source range and destination range are same, however in one policy NAT is enabled and in another it is not.

 

If this is the case, usually firewall matches the policies from top to bottom.

 

In your scenario, if you have placed the policy with NAT at the top and no-nat policy at the bottom, then traffic matches the first policy and always NAT happens.

 

If no-nat policy is on top, then NAT doesn't happen.

anandhubs
New Contributor II

But there is traffic in both policies.but how NAT will work between two internal interfaces ?

 

kvimaladevi

Hi anandhubs,

 

Could you right click on each policy and check the "show matching logs" option. We can see the traffic that hit those policies. You should be able to see some difference in the traffic that is hitting them.

The traffic from the same source to the same destination will not hit 2 policies randomly as it flows a top-down approach and will hit the topmost matching policy always.

 

Regards,

Vimala

anandhubs

While checking the matching  logs it's shows the policy in which NAT is enabled.its hits the local DNS.I think customer uses url in browser.Can you brief the working of NAT in that scenario means between two internal interfaces ?

kvimaladevi

Hi anandhubs,

 

Usually a NAT is to translate the source or destination IP address of a client or server on the network interface. When you enable NAT on the policy, the traffic will get Natted with the IP address of the outgoing interface and the receiver will not be able to see the exact source IP. 

If you have added any IP pool in the policy rather than choosing "Outgoing Interface Address", the traffic will be Natted with the IP in the configured Pool.

Regards,

Vimala

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors