Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
swmar
New Contributor

fortigate disable nat option

Dears,

I have fortigate 200d and i want to disable nat option once i create the firewall policy.

could you please advise what is the other steps that i need to configure in case i disabled the nat option from the policy.

when i enable the nat mode in the policy, the connectivity is ok, but when i disabled it i lost the connectivity, i want to keep the source ip without natting. could you please advise about this 

 

Best Regards,

 

7 REPLIES 7
rwpatterson
Valued Contributor III

This is a very general question. 2 questions to you:

1) What direction is traffic flowing in this policy?

2) Is this policy connected to the Internet from a private address?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
swmar

Thanks for your reply, the direction from internal to wan 1.

and it is private network to the internet.

 

 

Best Regards,

rwpatterson
Valued Contributor III

If that is the case, then you need to have NAT enabled. Your ISP will drop all connections to the Internet with private IP addresses. You have to provide a routable, public IP address if you want your traffic to be present outside your walls. The only way you can do that is to have your own subnet(s), or to NAT your traffic to the IP address that your ISP provides you. (That is if they give you a public. Some only provide private IP addresses on a transit network to you.)

 

See the link for a definition/list of private IP address ranges

 

https://tools.ietf.org/html/rfc1918

 

There is a newer one, but I don't recall the RFC number.

 

The latest is here:

 

https://tools.ietf.org/html/rfc5735

 

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
swmar

Hi, It seems I didn't explain the case very well. The fortigate's wan interface is connected to internet through another gateway. And from the fortigate I can ping the internal IP of the gatewa,y and can ping any address on internet. But in case I disabled the nat mode from the policy, the computers which are connected on internal interface of fortigate is loosing the connectivity to internet. Regarding routing I have default rout to the gateway only. Could you please advise.
ede_pfau

You are right in assuming you didn't supply relevant information on your setup.

 

When you disable NAT on the FGT packets with private source addresses arrive at the gateway router. The router will send them out, but on arrival of the replies it doesn't know where to forward them.

 

You need a static route on the gw router pointing the private subnet addresses (like 192.168.xxx.0/24) to the WAN interface of the FGT.

 

The FGT already knows about that range as it is directly connected (check this in the Routing monitor).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
swmar
New Contributor

It worked thank you so much, yes this is the missing ring.

really appreciated. 

:)

 

ede_pfau

You're welcome, I'm glad I could help.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors