Hot!How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate

Author
lyontech
Bronze Member
  • Total Posts : 1
  • Scores: 10
  • Reward points: 0
  • Joined: 2016/04/07 16:36:35
  • Status: offline
2016/04/07 16:57:13 (permalink)
5 (5)

How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate

I'm new to the FortiGate routers (I've always been a Cisco guy), and had a hard time figuring out how to properly configure inbound and outbound static one-to-one NAT rules in the router.  After doing a fair amount of searching in the FortiGate documentation and Googling, I found the information available online about this topic was either incomplete or out of date.  So I thought I’d pass this along in case it is helpful to anyone who finds this tread in the future.  I successfully did the below steps today on a FortiGate 60D running Firmware 5.2.7 build 718, but I’m pretty sure it will work the same on other similar models too.
 
How to create an INBOUND static NAT rule:
  1. Navigate to:  Policy & Objects > Objects > Virtual IPs
    1. Click the “Create New” button
    2. Name = Anything you want, something descriptive.  Remember this, you need it in Step #3.
    3. Comments = Optional. Anything you want.
    4. Interface = Select the correct external WAN interface that the public IP is connected to
    5. Source Address Filter = Defaults to unchecked, which is fine.
    6. External IP Address/Range = Just enter one *public* IP address.  Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)
    7. Mapped IP Address/Range = Just enter one *private* IP address.  Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)
    8. Port Forwarding = Optional.
      1. If you want to just have a 1-to-1 inbound static NAT map, leave this unchecked.  Restrict and control access through IPv4 firewall policies.
      2. If you want to control or redirect specific ports, check this and then add custom rules as necessary.
 
Just because you create an Inbound NAT rule, it doesn’t mean that all outgoing traffic from that internal IP will be NAT’ed to that external Public IP.  By default, the FortiGate will do outbound NAT to the external IP address only for *replies* sent by the internal server in response to requests that originated from *outside* the firewall.  If you want to ensure that *all* traffic originating from the internal server is always NAT’ed to a specific external public IP address, then you must create a custom Outbound Static NAT IPv4 policy.  If no custom outbound policy is created, then the outbound traffic that originates from the internal server will be NAT’ed to the router’s default overload one-to-many NAT public IP address.
 
How to create an Outbound Static NAT rule:
  1. Create a new address for the INTERNAL (private) device IP Address
    1. Navigate to:  Policy & Objects > Objects > Addresses
    2. Click the “Create New” button
    3. Name = Anything you want, something descriptive.  Remember this, you need it in Step #3.
    4. Type = IP/Netmask
    5. Subnet / IP Range = Just enter the single IP address
    6. Interface = Defaults to “any”, which is fine
    7. Show in Address List = Defaults to “checked”, which is fine
    8. Comments = Optional. Anything you want.
  2. Create a new address for the EXTERNAL (public) device IP Pool
    1. Navigate to:  Policy & Objects > Objects > IP Pools
    2. Click the “Create New” button
    3. Name = Anything you want, something descriptive.  Remember this, you need it in Step #3.
    4. Comments = Optional. Anything you want.
    5. Type = Select “One-to-One”
    6. External IP Range = Just enter one public IP address.  Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)
    7. ARP Reply = Uncheck this  (defaults to checked)
  3. Create an outbound policy to connect the two IP addresses
    1. Navigate to:  Policy & Objects > Policy > IPv4
    2. Click the “Create New” button
    3. Incoming Interface = internal (or whatever internal VLAN, interface, etc. you need to apply this to)
    4. Source Address = Select the name that you specified in Step #1
    5. Source User(s) = Normally you’ll want to just leave it blank/default
    6. Source Device Type = Normally you’ll want to just leave it blank/default
    7. Outgoing Interface = Select the correct external WAN interface that the public IP is connected to
    8. Destination Address = all
    9. Schedule = always
    10. Service = ALL
    11. Action = ACCEPT
    12. Firewall / Network Options
      1. Make sure NAT is turned “ON”
      2. Use Dynamic IP Pool = Select the name that you specified in Step #2
    13. Make sure that “Enable this policy” is turned “ON”
    14. In the IPv4 Policy summary page, drag your new rule up to the top, above the generic “all – all – always – all” outbound allow rule.  FortiGate applies policies from top to bottom.
 
NOTE:  The FortiGate ARP tables last for quite a while, so if you are testing your outbound IP NAT to an external website (like www.whatismyip.com) then you need to completely close and restart your browser sessions, or reboot your test computer, or reboot the router, or wait for the router’s ARP tables to expire.  I just found that visiting multiple different “show your IP” websites was easiest.
#1

7 Replies Related Threads

    benjamin.shumaker@cudenver.com
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/21 13:32:28
    • Status: offline
    Re: How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate 2018/04/21 19:23:06 (permalink)
    0
    Thanks lyontech, Exactly what I needed.  
    Thank you for the feed back.  Easy to follow
     
    Benjamin
    #2
    DarrenM
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/08/14 12:35:33
    • Status: offline
    Re: How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate 2018/06/25 07:10:17 (permalink)
    0
    You can also just edit the VIP rule in cli with
    set nat-source-vip enable
    #3
    benjamin.shumaker@cudenver.com
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/21 13:32:28
    • Status: offline
    Re: How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate 2018/06/25 14:37:39 (permalink)
    0
    Thanks Darren for your response.  I learned how to setup a Virtual IP and IP Pools.   Both are very useful.
     
    Benjamin
    DarrenM
    You can also just edit the VIP rule in cli with
    set nat-source-vip enable




    #4
    janggoatlebat
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/20 00:30:25
    • Status: offline
    Re: How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate 2018/09/20 00:48:07 (permalink)
    0
    Hi Iyontech,
    Can I apply this for internal private network connection? Let say I want the user to connect to a server in the office by using NAT IP instead of the server's real IP.
    #5
    riaronson
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/04/01 16:38:51
    • Status: offline
    Re: How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate 2018/11/12 13:55:30 (permalink)
    0
    Currently I have a 1 to 1 NAT configuration that has an A record in DNS on a Fortigate connected to 2 different ISps. . I'm doing maintenance and want to nat this particular host to a vip on a different interface. I thought about setting up the second VIP, then changing my dns to the new address. Once it propagates I can remove the original VIP and do my maintenance. My question is what would happen if I added the second NAT, where would the outbound traffic go? I've got set nat-source-vip enable on the current VIP and I also have an IP pool configured from the outbound traffic policy (belt and suspenders kind of thing.) 
     
    What might be best way to get to the configuration I want?
    #6
    Luckymac
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/13 06:37:08
    • Status: offline
    Re: How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate 2019/09/13 06:41:12 (permalink)
    0
    Hi,
    Currently have a dynamic IP from my provider. Can I assign an outbound static rule so that all traffic from local network goes to my external interface (Wan1).
    Luc
    #7
    Bert1
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/05 18:27:52
    • Status: offline
    Re: How to: Create Inbound and Outbound one-to-one Static NAT rules in FortiGate 2019/09/13 08:51:57 (permalink)
    0
    Thank you for this post.  I am trying to get an internal PBX working (3CX) and needed this information.
     
    However, I am still having a problem.  For some reason, the firewall (60E) is changing incoming ports 5060 to 65476 and 5090 to 65506.  This is causing no end of problems for me and I thought (obviously incorrectly) that the setup that you described here would cause the firewall to preserve the port number.  On top of that, I have no idea why the firewall is doing that or how to stop it.  Any suggestions?
     
    Thanks
     
    Bert
    #8
    Jump to:
    © 2019 APG vNext Commercial Version 5.5