Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albaker1
Contributor

Question about NATing when using Central SNAT Policy

We've moving from a Cisco shop to a Fortinet shop, but I'm having problems understanding NATing on the FortiGates when Central SNAT is being used. We've used FortiConverter to convert the Firepower to the FortiGate, and besides the interfaces on the NAT statements being incorrect (referencing the physical interface and not the VPN interface), I'm having a hard time deciding if the proper NAT statements were created. Take this example:

 

We have a vendor who has some equipment in one of our DMZs, and we have a site-to-site VPN configured between our two locations. Their NMS will be querying their equipment with SNMP and pings, and the systems in our DMZ will send traps back to their NMS. Their equipment is in the 10.10.10.0/28 subnet, and they are NATed to our public IPs. 

 

For the outbound traps, it seems as if we need an SNAT entry. For the inbound SNMP and pings, it seems as if VIP/DNAT is required. The FortiConverter only made VIP/DNAT entries.

 

We configured several other smaller firewalls without using Central SNAT, and we used VIPs tied into the firewall policy for systems that had some public exposure. In those cases, the servers could be accessed from the Internet, but we had to define a separate outbound NAT entry on another firewall policy line, e.g. NAT everything outbound to another IP or interface. For the very limited number of cases we did this, the hosts had different public IP addresses based on whether the traffic was inbound or outbound. We were paying a vendor for assistance, and this was his suggestion. I always felt as if we were missing something here.

 

I'd appreciate the best approach in NATing for the NMS case presented above. We have 2 weeks before we implement that firewall, and it's critical we run into few snags. Thanks

2 REPLIES 2
adambomb1219
Contributor III

Why not just use policy NAT?  This (and other reasons) is why I don't typically advocate for any automatic conversion tools.

albaker1

Looking back, I don't disagree. However, we have too much time invested in getting to the point we're currently at and don't have resources or time to start over.

Top Kudoed Authors