Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anandhubs
New Contributor II

Created on ‎04-17-2023 03:44 AM

NAT in internal policy

In a 81e fortigate firewall Nat is enabled between the policy created between port 1 and port 1 which are internal networks.Can anyone explain the working of NAT in that policy.

Labels:
2304
1 Solution
kvimaladevi
Staff
Staff
In response to anandhubs

Created on ‎04-17-2023 11:58 PM

Hi anandhubs,

 

Usually a NAT is to translate the source or destination IP address of a client or server on the network interface. When you enable NAT on the policy, the traffic will get Natted with the IP address of the outgoing interface and the receiver will not be able to see the exact source IP. 

If you have added any IP pool in the policy rather than choosing "Outgoing Interface Address", the traffic will be Natted with the IP in the configured Pool.

Regards,

Vimala

View solution in original post

2229
0 Kudos
7 REPLIES 7
tthrilok
Staff
Staff

Created on ‎04-17-2023 04:09 AM

Hi Anand,

 

Thank you for your query!

 

I understand you want to what happens with NAT when you created a policy from and to as same is it?

Could you please confirm if the source and destination both are in the same network?

Could you please also elaborate what is the purpose of creating a policy with source and destination interface as same?

 

2293
0 Kudos
anandhubs
New Contributor II
In response to tthrilok

Created on ‎04-17-2023 04:17 AM

they are two different private networks.one is starting with 192.168 and other one is 10.168.incoming interface is port 1 and outgoing interface is port 2.

 they created two policies with same source ips and destination ips and in one policy they enabled NAT.

 both the policies are working.

the policy in which they enabled NAT, destination ips are created as a group.that is the only difference.

 

2289
0 Kudos
tthrilok
Staff
Staff

Created on ‎04-17-2023 04:48 AM

Hi Anand,

 

Your update is noted, so I understand you have created two policies:

Where source interface, destination interface, source range and destination range are same, however in one policy NAT is enabled and in another it is not.

 

If this is the case, usually firewall matches the policies from top to bottom.

 

In your scenario, if you have placed the policy with NAT at the top and no-nat policy at the bottom, then traffic matches the first policy and always NAT happens.

 

If no-nat policy is on top, then NAT doesn't happen.

2285
anandhubs
New Contributor II
In response to tthrilok

Created on ‎04-17-2023 05:13 AM

But there is traffic in both policies.but how NAT will work between two internal interfaces ?

 

2281
0 Kudos
kvimaladevi
Staff
Staff
In response to anandhubs

Created on ‎04-17-2023 09:25 PM

Hi anandhubs,

 

Could you right click on each policy and check the "show matching logs" option. We can see the traffic that hit those policies. You should be able to see some difference in the traffic that is hitting them.

The traffic from the same source to the same destination will not hit 2 policies randomly as it flows a top-down approach and will hit the topmost matching policy always.

 

Regards,

Vimala

2248
0 Kudos
anandhubs
New Contributor II
In response to kvimaladevi

Created on ‎04-17-2023 11:21 PM

While checking the matching  logs it's shows the policy in which NAT is enabled.its hits the local DNS.I think customer uses url in browser.Can you brief the working of NAT in that scenario means between two internal interfaces ?

2235
0 Kudos
kvimaladevi
Staff
Staff
In response to anandhubs

Created on ‎04-17-2023 11:58 PM

Hi anandhubs,

 

Usually a NAT is to translate the source or destination IP address of a client or server on the network interface. When you enable NAT on the policy, the traffic will get Natted with the IP address of the outgoing interface and the receiver will not be able to see the exact source IP. 

If you have added any IP pool in the policy rather than choosing "Outgoing Interface Address", the traffic will be Natted with the IP in the configured Pool.

Regards,

Vimala

2230
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.