How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate

lyontech · ‎04-07-2016

I'm new to the FortiGate routers (I've always been a Cisco guy), and had a hard time figuring out how to properly configure inbound and outbound static one-to-one NAT rules in the router. After doing a fair amount of searching in the FortiGate documentation and Googling, I found the information available online about this topic was either incomplete or out of date. So I thought I’d pass this along in case it is helpful to anyone who finds this tread in the future. I successfully did the below steps today on a FortiGate 60D running Firmware 5.2.7 build 718, but I’m pretty sure it will work the same on other similar models too. How to create an INBOUND static NAT rule:

[ol]

Navigate to: Policy & Objects > Objects > Virtual IPs[ol]

Click the “Create New” button

Name = Anything you want, something descriptive. Remember this, you need it in Step #3.

Comments = Optional. Anything you want.

Interface = Select the correct external WAN interface that the public IP is connected to

Source Address Filter = Defaults to unchecked, which is fine.

External IP Address/Range = Just enter one *public* IP address. Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)

Mapped IP Address/Range = Just enter one *private* IP address. Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)

Port Forwarding = Optional.[ol]

If you want to just have a 1-to-1 inbound static NAT map, leave this unchecked. Restrict and control access through IPv4 firewall policies.

If you want to control or redirect specific ports, check this and then add custom rules as necessary.[/ol][/ol][/ol]

Just because you create an Inbound NAT rule, it doesn’t mean that all outgoing traffic from that internal IP will be NAT’ed to that external Public IP. By default, the FortiGate will do outbound NAT to the external IP address only for *replies* sent by the internal server in response to requests that originated from *outside* the firewall. If you want to ensure that *all* traffic originating from the internal server is always NAT’ed to a specific external public IP address, then you must create a custom Outbound Static NAT IPv4 policy. If no custom outbound policy is created, then the outbound traffic that originates from the internal server will be NAT’ed to the router’s default overload one-to-many NAT public IP address. How to create an Outbound Static NAT rule:

[ol]

Create a new address for the INTERNAL (private) device IP Address[ol]

Navigate to: Policy & Objects > Objects > Addresses

Click the “Create New” button

Name = Anything you want, something descriptive. Remember this, you need it in Step #3.

Type = IP/Netmask

Subnet / IP Range = Just enter the single IP address

Interface = Defaults to “any”, which is fine

Show in Address List = Defaults to “checked”, which is fine

Comments = Optional. Anything you want.[/ol]

Create a new address for the EXTERNAL (public) device IP Pool[ol]

Navigate to: Policy & Objects > Objects > IP Pools

Click the “Create New” button

Name = Anything you want, something descriptive. Remember this, you need it in Step #3.

Comments = Optional. Anything you want.

Type = Select “One-to-One”

External IP Range = Just enter one public IP address. Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)

ARP Reply = Uncheck this (defaults to checked)[/ol]

Create an outbound policy to connect the two IP addresses[ol]

Navigate to: Policy & Objects > Policy > IPv4

Click the “Create New” button

Incoming Interface = internal (or whatever internal VLAN, interface, etc. you need to apply this to)

Source Address = Select the name that you specified in Step #1

Source User(s) = Normally you’ll want to just leave it blank/default

Source Device Type = Normally you’ll want to just leave it blank/default

Outgoing Interface = Select the correct external WAN interface that the public IP is connected to

Destination Address = all

Schedule = always

Service = ALL

Action = ACCEPT

Firewall / Network Options[ol]

Make sure NAT is turned “ON”

Use Dynamic IP Pool = Select the name that you specified in Step #2[/ol]

Make sure that “Enable this policy” is turned “ON”

In the IPv4 Policy summary page, drag your new rule up to the top, above the generic “all – all – always – all” outbound allow rule. FortiGate applies policies from top to bottom.[/ol][/ol]

NOTE: The FortiGate ARP tables last for quite a while, so if you are testing your outbound IP NAT to an external website (like www.whatismyip.com) then you need to completely close and restart your browser sessions, or reboot your test computer, or reboot the router, or wait for the router’s ARP tables to expire. I just found that visiting multiple different “show your IP” websites was easiest.

benjamin_shumaker · ‎04-21-2018

Thanks lyontech, Exactly what I needed. Thank you for the feed back. Easy to follow Benjamin

DarrenM · ‎06-25-2018

You can also just edit the VIP rule in cli with

set nat-source-vip enable

benjamin_shumaker · ‎06-25-2018

Thanks Darren for your response. I learned how to setup a Virtual IP and IP Pools. Both are very useful.

Benjamin

DarrenM wrote:
You can also just edit the VIP rule in cli with
set nat-source-vip enable

janggoatlebat · ‎09-20-2018

Hi Iyontech,

Can I apply this for internal private network connection? Let say I want the user to connect to a server in the office by using NAT IP instead of the server's real IP.

riaronson · ‎11-12-2018

Currently I have a 1 to 1 NAT configuration that has an A record in DNS on a Fortigate connected to 2 different ISps. . I'm doing maintenance and want to nat this particular host to a vip on a different interface. I thought about setting up the second VIP, then changing my dns to the new address. Once it propagates I can remove the original VIP and do my maintenance. My question is what would happen if I added the second NAT, where would the outbound traffic go? I've got set nat-source-vip enable on the current VIP and I also have an IP pool configured from the outbound traffic policy (belt and suspenders kind of thing.)

What might be best way to get to the configuration I want?

Luckymac · ‎09-13-2019

Hi,

Currently have a dynamic IP from my provider. Can I assign an outbound static rule so that all traffic from local network goes to my external interface (Wan1).

Luc

Bert1 · ‎09-13-2019

Thank you for this post. I am trying to get an internal PBX working (3CX) and needed this information.

However, I am still having a problem. For some reason, the firewall (60E) is changing incoming ports 5060 to 65476 and 5090 to 65506. This is causing no end of problems for me and I thought (obviously incorrectly) that the setup that you described here would cause the firewall to preserve the port number. On top of that, I have no idea why the firewall is doing that or how to stop it. Any suggestions?

Thanks

Bert

Lloyd1 · ‎06-13-2022

Hello,

Thanks for the tuto

One thing I do not understand, and I am blocked.

At the IPv4 Policy Creation, you indicate:

- "Source Address = Select the name that you specified in Step #1"

And in Step 1 you indicate:

"Interface = Select the correct external WAN interface that the public IP is connected to"

So, my question is : How can I assign an external Virtual IP object to an internal Source Adresse Policy object ?

The Virtual IP I created is not available when I try to assign it to the policy rule.

Can someone help me on that?

Thank you

Faiza_Emam_Delhi · ‎06-17-2023

Hi ,

Thank you for sharing these steps on how to create inbound and outbound one-to-one static NAT rules in FortiGate. Your explanation is clear and concise, and I'm sure it will be helpful to anyone who is new to FortiGate routers.

Just to add to your explanation, it's important to note that the outbound NAT rule will only apply to traffic that originates from the internal network and is destined for the external network. If the traffic is initiated from the external network and is destined for the internal network, then the inbound NAT rule will apply.

Also, when creating the outbound NAT rule, it's a good idea to specify the source port as well as the destination port if you want to control or redirect specific ports. This can be done by selecting "Custom" under the "Service" field and specifying the source and destination ports.

I hope this additional information is helpful. Let me know if you have any further questions or if there's anything else I can assist you with.

Thanks & Regards,
Faizal Emam