Since I come frome cisco, the way I have to configure NAT in Fortigate is new to me. I have a working configuration but some settings don't make sense to me...
public ip range: 1.2.3.32/27
Fortigate public ip: 1.2.3.36
dmz interface: 10.9.11.1/24
webserver: 10.9.11.254
My goal is a bidirectional nat for a webserver using the public ip 1.2.3.43.
I found the following KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-S...
1. It doesn't matter which interface I use in vip config (extintf) the traffic works anyway no matter if it makes sense or not. Why is that and how should I do it the right way?
2. Configuring "set srcintf-filter dmz" as mentioned in the linked KB results in it not working anymore...
Even more confusing is the fact that this worked a few days ago and yes I did clear the nat cache multiple times in between (diagnose sys session clear).
For my understanding coming from cisco a destination nat should contain source interface (incoming traffic), source network, destination interface and destination network.
For testing purposes I deleted all other nat rules except the default SNAT for outgoing traffic. Currently the configuration looks like this. Incoming and outgoing traffic via the public ip 1.2.3.43 works with this but I'm afraid that this changes somehow when I go live with the firewalls as it already did earlier.
fortigate # sh firewall vip webserver
config firewall vip
edit "webserver"
set extip 1.2.3.43
set mappedip "10.9.11.254"
set extintf "port1"
set nat-source-vip enable
next
end
fortigate # sh firewall ippool SNAT_1.2.3.43
config firewall ippool
edit "SNAT_1.2.3.43"
set type one-to-one
set startip 1.2.3.43
set endip 1.2.3.43
next
end
fortigate # sh firewall central-snat-map
config firewall central-snat-map
edit 1
set srcintf "dmz_zone"
set dstintf "port1"
set orig-addr "SH_webserver-10.9.11.254"
set dst-addr "all"
set nat-ippool "SNAT_1.2.3.43"
next
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
First quesiton: do you have a requirement to be using Central SNAT? Usually in FortiGate land it is easier to use policy NAT.
If you are using Central SNAT you have to treat your DNAT VIPs a bit differently. See here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/448790/central-dnat
I'm not 100% sure but in Central NAT i don't believe the VIP ext-intf has any bearing on the NAT functionality. It is used for policy applicaiton only.
Hi Graham,
Our network partner and some fortigate engineers recommended us to enable central snat so we can more easily migrate our current cisco configuration. For our migration scripts we use the api. The configuration includes about 660 vpns, 140 nat and 800 policy rules, so we do it with api scripts.
I'm not 100% sure but in Central NAT i don't believe the VIP ext-intf has any bearing on the NAT functionality. It is used for policy applicaiton only.
That would explain a lot but can we somehow verify the assumption?
Best Regards,
Patrick
OK in that case yes Central NAT makes sense.
Per the documentation, "ext-intf" setting on VIP is defined as "The external interface that the firewall policy source interface must match." So in this case under Central NAT where VIPs are not assigned to a firewall policy I think it's fair to say the ext-intf setting has no bearing.
Thanks Graham.
The support ticket is still open, I will post the update here as soon as I get an answer.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.