[FortiGate] How to configure NAT

Table of contents

Work environment
NAT settings in FortiGate
Source NAT settings
1. Translation to the outbound interface IP address
2. Translation using IP Pool
NAT session confirmation command
References

Work environment

FortiGate 60E
- version 7.0.2

NAT settings in FortiGate

NAT settings in FortiGate are set as one of the settings in the Firewall policy settings.

You can use the following as the translated IP address:

Outgoing interface IP address (used for source NAT)
IP Pool (used for source NAT)
Virtual IP (used for destination NAT)

If the Central SNAT feature is enabled, the source NAT is configured differently. Central SNAT is disabled by default. We will discuss here on the assumption that Central SNAT is disabled.

Source NAT settings

Translation to the outbound interface IP address

When setting from the GUI, set in the Firewall / Network Options field of the Firewall policy setting screen.

Enable NAT and select Use Outgoing Interface Address as the IP Pool Configuration.

When you enable the Preserve Source Port, the source port is fixed untranslated. If you have multiple clients, you need to disable this.

If set in the CLI, set in the edit hierarchy of the target policy in the config firewall policy.

The correspondence between GUI and CLI setting items is as follows.

NAT —> NAT
IP Pool Configuration —> ippool
- Set disable for Use Outgoing Interface Address.
Preserve Source Port —> fixedport

config firewall policy
    edit <n>
        set nat enable
        set ippool disable
        set fixedport disable
    next
end

Translation using IP Pool

First, create an IP Pool.

If set in the GUI, click Create New on the Policy & Objects > IP Pools screen.

The following screen will be displayed.

IP Pool Type

Overload
- In addition to the IP address translation, the port address translation (PAT) is also performed. With 60,416 available port numbers for each IP, the IP pool can handle 60,416 * internal IP addresses.

One-to-One
- An IP Pool that does not perform port address translation (PAT).

Fixed Port Range
- PAT is executed. Specifying the Internal IP Range also determines the range of translated port numbers used for each Internal IP.

Port Block Allocation
- PAT is executed. You can manually set the block size (number of ports) and the number of blocks per user (IP).

IP Pool setting in CLI

Configure in configuration firewall ippool.

FortiGate-60E # show full-configuration firewall ippool
config firewall ippool
    edit "Pool_Overload"
        set type overload
        set startip 10.1.10.100
        set endip 10.1.10.102
        set arp-reply enable
        set arp-intf ''
        set associated-interface ''
        set comments ''
        set nat64 disable
    next
end

NAT settings in Firewall Policy

In IP Pool Configuration, select Use Dynamic IP Pool and select the IP Pool to use from the list.

When setting with CLI, it is as follows.

config firewall policy
        set nat enable
        set ippool enable
        set poolname "Pool_Overload"
    next
end

NAT session confirmation command

get system session list

FortiGate-60E # get system session list
PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT
tcp     25     10.1.20.10:52119 10.1.10.9:52119  64.233.189.109:993 -
tcp     0      10.1.20.10:64855 10.1.10.110:64855 183.181.89.54:110 -
udp     123    10.1.20.10:53791 10.1.10.110:53791 142.251.132.35:443 -
udp     125    10.1.20.10:56930 10.1.10.110:56930 172.217.161.234:443 -
udp     172    10.1.20.10:53013 10.1.10.110:53013 8.8.8.8:53       -
udp     113    10.1.20.10:58681 10.1.10.110:58681 8.8.8.8:53       -
udp     162    10.1.20.10:58674 10.1.10.110:58674 8.8.8.8:443      -
udp     172    10.1.20.10:62289 10.1.10.110:62289 8.8.8.8:53       -
udp     130    10.1.20.10:62629 10.1.10.110:62629 8.8.8.8:53       -