We've moving from a Cisco shop to a Fortinet shop, but I'm having problems understanding NATing on the FortiGates when Central SNAT is being used. We've used FortiConverter to convert the Firepower to the FortiGate, and besides the interfaces on the NAT statements being incorrect (referencing the physical interface and not the VPN interface), I'm having a hard time deciding if the proper NAT statements were created. Take this example:
We have a vendor who has some equipment in one of our DMZs, and we have a site-to-site VPN configured between our two locations. Their NMS will be querying their equipment with SNMP and pings, and the systems in our DMZ will send traps back to their NMS. Their equipment is in the 10.10.10.0/28 subnet, and they are NATed to our public IPs.
For the outbound traps, it seems as if we need an SNAT entry. For the inbound SNMP and pings, it seems as if VIP/DNAT is required. The FortiConverter only made VIP/DNAT entries.
We configured several other smaller firewalls without using Central SNAT, and we used VIPs tied into the firewall policy for systems that had some public exposure. In those cases, the servers could be accessed from the Internet, but we had to define a separate outbound NAT entry on another firewall policy line, e.g. NAT everything outbound to another IP or interface. For the very limited number of cases we did this, the hosts had different public IP addresses based on whether the traffic was inbound or outbound. We were paying a vendor for assistance, and this was his suggestion. I always felt as if we were missing something here.
I'd appreciate the best approach in NATing for the NMS case presented above. We have 2 weeks before we implement that firewall, and it's critical we run into few snags. Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Why not just use policy NAT? This (and other reasons) is why I don't typically advocate for any automatic conversion tools.
Looking back, I don't disagree. However, we have too much time invested in getting to the point we're currently at and don't have resources or time to start over.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.