FortiWAN NAT Rules

NAT Rules

As the previous description, FortiWAN provides typical NAT for out-going session (established from internal host to external host). Here we describe the NAT rules which specified how to translate source IP address of a outgoing packet into specified IP address of the WAN link. Incoming packets from a external host can be accepted and forwarded to the correct internal host only if a out-going packet has already be translated and transferred to the same external host. NAT rules are separated into IPv4 NAT rules and IPv6 NAT rules, which are used to translate a IPv4 address to another IPv4 address and translate a IPv6 address to another IPv6 address respectively. You will see the default rules at the bottom of the two rule tables, if IPv4 and/or IPv6 addresses are deployed on localhost of the WAN link.

IPv4 NAT Rules

Customized rules for IPv4-to-IPv4 NAT on a specified WAN link (select from the drop-down menu WAN above).

E Enable the NAT rule or not.
When The predefined time periods during which the rules will apply. Options are Busy, Idle, All-Times (See “Busyhour Settings”).
Source The packets sent from the source will be matched. Note: The source IPv4 to be translated must be the IPv4 address assigned to the LAN or DMZ (See “Using the web UI”).
Destination The packets sent to the destination will be matched (See “Using the web UI”).
Service The packets with the service port number to which users would like NAT to apply. It can be the TCP/UDP port, or Predefined service groups from [System]->[Service Grouping] (See “Using the web UI”).
Translated Specify manually the IPv4 address or a range of IPv4 addresses that is assigned to the localhost of the specified WAN link. Source IP address of the packets that match the rule would be translated to the IP address specified here.

The first IPv4 address assigned to the localhost of the WAN link automatically displays in the drop-down menu for options. If multiple IPv4 addresses are assigned to the WAN link’s localhost, you can set any of them manually by selecting the options “IPv4 Address” and “IPv4 Range”.

Select No NAT if no translation is needed.

The option [Dynamic IP] will be available while a Dynamic WAN link (Bridge Mode: PPPoE and Bridge Mode: DHCP) is applied.

L Check to enable logging. Whenever the rule is matched, the system will record the event to the log file.

IPv6 NAT Rules

Customized rules for IPv6-to-IPv6 NAT on a specified WAN link (select from the drop-down menu WAN above).

E Enable the NAT rule or not.
When The predefined time periods during which the rules will apply. Options are Busy, Idle, All-Times (See “Busyhour Settings”).
Source The packets sent from the source will be matched (See “Using the web UI”). Note: The source IPv6 to be translated must be the IPv6 address assigned to the LAN or DMZ.
Destination The packets sent to the destination will be matched (See “Using the web UI”).
Service The packets with the service port number to which users would like NAT to apply. It can be the TCP/UDP port, or Predefined service groups from [System]->[Service Grouping] (See “Using the web UI”).
Translated Specify manually the IPv6 address or a range of IPv6 addresses that is assigned to the localhost of the specified WAN link. Source IP address of the packets that match the rule would be translated to the IP address specified here.

The first IPv6 address assigned to the localhost of the WAN link automatically displays in the drop-down menu for options. If multiple IPv6 addresses are assigned to the WAN link’s localhost, you can set any of them manually by selecting the options “IPv6 Address” and “IPv6 Range”.

Select No NAT if no translation is needed.

The option [Dynamic IP] will be available while a Dynamic WAN link (Bridge Mode: PPPoE) is applied. Bridge Mode: DHCP does not support IPv6/IPv4 dual stack.

Note that this field must be an IPv6 address obtained upon public DMZ subnet and with 64-bit or lower prefix length.

L Check to enable logging. Whenever the rule is matched, the system will record the event to the log file.

1-to-1 NAT Rules

1-to-1 NAT maintains a fixed 1-to-1 mapping (binding) between internal IP addresses and the IP addresses of a WAN link’s localhost (also called external addresses here), which requires the same amount of IP addresses on both sides. Therefore, both a internal host and external host can launch sessions to each other. 1-to-1 NAT supports translation for IPv4 only.

E Enable the 1-to-1 NAT rule or not.
When Select the time when to apply the 1-to-1 NAT rule, including three options: Busy, Idle and All-Time (See “Busyhour Settings”).
Internal Address Select the internal IPv4 address, IPv4 range or IPv4 subnet that the 1-to-1 NAT rule should be applied to (See “Using the web UI”). For a 1-to-1 NAT rule, the amount of internal IP address here must be the same as amount of external IP address below. (Note: Internal IP

Address must be an IP address of the internal network or DMZ port.)

Service Select a service port where the 1-to-1 NAT rule should be applied to, such as TCP, UDP, ICMP or any of the predefined network service groups (See “Using the web UI”).
External Address Select the external IPv4 address, IPv4 range or IPv4 subnet that the 1-to-1 NAT rule should be applied to (See “Using the web UI”). For a 1-to-1 NAT rule, the amount of external IP address here must be the same as amount of internal IP address above. (Note: External IP

Address must be an IP address obtained upon WAN link connection.)

L Check to enable logging. Whenever the rule is matched, the system will record the event to the log file.

For any out-going packet (no matter a internal or a external host launch the session), if the packet matches a 1-to1 NAT rule on When, Internal Address (Source) and Service, source IP address of the packet will be translate to correspondent external address specified in the rule. For any in-coming packet (no matter a internal or a external host launch the session), if the packet matches a 1-to-1 NAT rule on When, External Address (Destination) and Service, destination IP address of the packet will be translate to correspondent internal address specified in the rule.

Enable NAT

Example: To translate packets from local machine 192.168.123.100 to public IP address 172.31.5.51, check “Enable NAT”, and select WAN #1, then check “Enable”. The NAT rule settings look like:

Source Destination Service Translated
192.168.123.100 Any Address Any 172.31.5.51

Disable NAT

Disable NAT sets FortiWAN to Non-NAT mode whereby all the WAN hosts can acccess DMZ hosts directly with proper routing setup. In this mode, FortiWAN acts as a router connecting multiple subnets.

Note: Once NAT is disabled, it is disabled on all the WAN Links.

Example: Non-NAT Settings

 

Persistent Routing

Non-NAT is commonly used on Private Network and MPLS network, which makes possible for the hosts of the branch office to directly access the headquarters. In case that ISP 1 is down, FortiWAN will automatically route the link to ISP 2, and, accordingly, serve as VPN load balancer based on the status of each link.

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.