NAT

Example:

Here are two possible packets that would be considered different by the FortiGate so that any responses from the web server would make it back to their correct original sender.

 

From Student A

 

Attribute Original Packet Packet after NATing
 

Source IP address or src-ip

 

10.1.1.56

 

u.u.u.1

 

Destination IP address or dst-ip:

 

w.w.w.1

 

w.w.w.1

 

Protocol

 

tcp

 

tcp

 

Source port or src-port:

 

10000

 

46372

 

Destination port or dst-port

 

80

 

80

 

From Student B

   
Attribute Original Packet Packet after NATing
 

Source IP address or src-ip

 

10.5.1.233

 

u.u.u.1

 

Destination IP address or dst-ip:

 

w.w.w.1

 

w.w.w.1

 

Protocol

 

udp

 

udp

 

Source port or src-port:

 

26785

 

46372

 

Destination port or dst-port

 

80

 

80

Even though the source port is the same, because the protocol is different they are considered to be from different sessions and different computers.

The drawback is that it would depend on the protocols being used be evenly distributed between TCP and UDP. Even if this was the case the number would only double; reaching an upper limit of 65,536 possible connections. That number is still far short of the possible more than 16 million for an IP subnet with an eight bit subnet mask like the one in our example.

Fortinet does not use this method.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.