i put the source nat as the private interface.
I put the destination nat as the public interface.
Somehow the ping to the internet works.
Q1 Why is this so? Doesnt ping involve the return packet?
Q2 Dont I have to put source nat as public interface and destination nat as the private interface too?
Q3 Under what circumstances do you put a static route and not an NAT?
Q4 Why do some other products only have "nat enabled" but dont specify "ip nat inside" or "ip nat outside"?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
when you enable NAT in a policy by crossing the checkbox, you apply source NAT. By default, the IP address of the outbound interface is used instead of the original address.
So, your rule 1 sends traffic to the internet with a source address of your WAN interface, which of course is routed back with no problems.
Rule 2 does not really make sense. Assuming that you use RFC1918 private addresses on your LAN, how would anybody on the 'net find your WAN router? Private addresses are not routed over internet routers, to avoid the ambiguity which would arise if 1000 users of an ISP use the range 192.168.1.x, for example.
So enabling NAT on rule 2 will have the effect that the original WAN address of inbound traffic is lost/replaced, but there won't be any inbound traffic in the first place.
And you don't need rule 2 at all. Traffic outbound through rule 1 will be answered and routed back to the WAN interface of your FGT. The FGT then looks up which policy might match, then, if that policy uses NAT, and if it does, it looks up the NAT table to reverse the address translation. So in short, for reply traffic you only need one outbound policy in general.
HTH.
Hi, can you please post some config snippets to clarify what you configured?
It is not easy to guess what you "put" where with such ambiguous wording.
Created on 04-22-2022 09:02 AM Edited on 04-22-2022 09:25 AM
Hi,
It is a general NAT question.
Which part needs clarification?
Rule | Source interface | Destination interface | NAT |
1 | LAN | WAN | Enabled |
2 | WAN | LAN | Enabled |
For Q1 and Q2, I put rule 1 in my firewall but I did not put rule 2.
I still can ping internet.
Why?
I think I understand now, thank you for clarifying the question.
FortiGate is a stateful firewall. It keeps track of traffic sessions and can identify whether inbound packets from outside match existing sessions initiated from inside->out in order to automatically allow them through.
You do not need a WAN->LAN policy because the FortiGate will recognize the incoming ECHO-reply as a response to the ECHO-request which was allowed by the LAN->WAN firewall policy when your local client tried to ping something on the internet. It will also automatically reverse the NAT-ing when it forwards the response back to the original client.
Further reading, if you're interested:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/61862/what-is-a-firewall
https://en.wikipedia.org/wiki/Stateful_firewall
hi,
when you enable NAT in a policy by crossing the checkbox, you apply source NAT. By default, the IP address of the outbound interface is used instead of the original address.
So, your rule 1 sends traffic to the internet with a source address of your WAN interface, which of course is routed back with no problems.
Rule 2 does not really make sense. Assuming that you use RFC1918 private addresses on your LAN, how would anybody on the 'net find your WAN router? Private addresses are not routed over internet routers, to avoid the ambiguity which would arise if 1000 users of an ISP use the range 192.168.1.x, for example.
So enabling NAT on rule 2 will have the effect that the original WAN address of inbound traffic is lost/replaced, but there won't be any inbound traffic in the first place.
And you don't need rule 2 at all. Traffic outbound through rule 1 will be answered and routed back to the WAN interface of your FGT. The FGT then looks up which policy might match, then, if that policy uses NAT, and if it does, it looks up the NAT table to reverse the address translation. So in short, for reply traffic you only need one outbound policy in general.
HTH.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.