AnsweredHot!Fortigate 500D - NAT Entire Subnets

Author
varriola
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/21 09:41:10
  • Status: offline
2018/12/21 10:01:22 (permalink)
0

Fortigate 500D - NAT Entire Subnets

Hello,
   I'm having some trouble with NAT'ing entire subnets and am looking for suggestions and/or confirmation that I am doing it correctly.
 
I'm trying to give each school a separate external IP address based on their subnets. I am doing the following to create the NAT rule.
1)Create Address Object for the school site's subnet
     -School 1 - 10.1.0.0/16
     -School 2 - 10.2.0.0/16
     -School 3 - 10.3.0.0/16
2)Create IP Pool Object for each external IP address (All 3 IP addresses are part of a Single WAN interface network)
     -Set "TYPE" to overload (Per Fortinet Chat Support)
3)Create IPV4 Policy
     -School 1 NAT Policy:
       -Incoming Interface - LAN
       -Outgoing Interface - WAN
       -Source: School 1 - 10.1.0.0/16
       -Destination: ALL
       -Schedule: Always
       -Service: ALL
       -Action: Accept
          -Firewall/Network Options
             -NAT: On
             -IP Pool Configuration: Use Dynamic IP Pool
             -<Overload IP POOL Object I created>
 
When I apply this rule I lose all access to the internet.
At one school site, it works for the wired connections, but not for the wireless connections. As soon as I toggle the rule off, internet connectivity returns for all subnets.
 
If I do a tracert from a machine that can no longer get out to the internet I successfully hit my Fortigate 500D and then drop all other attempts to reach the outside.
 
Can anyone confirm this is the correct process for what I am trying to do? Any suggestions where I should be looking to trouble shoot this?
 
#1
jamesmeuli
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/25 15:55:17
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2018/12/21 12:38:21 (permalink) ☼ Best Answerby varriola 2018/12/21 13:13:23
0
That all looks correct. Can you use those addresses? 
 
#exec ping-options source x.x.x.x
#exec ping <yourgatewayorgoogle>
 
If there are no vips on those addresses the Fortigate is probably not responding to ARP so you should add secondary IPs to your WAN interface
#2
varriola
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/21 09:41:10
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2018/12/21 13:15:32 (permalink)
0
Adding the external IPs as secondary IP addresses on the WAN interface seems to have done the trick. Thank you!
 
I assumed that because I had entered the interface network as a /28, it would automatically include the full range.
#3
ede_pfau
Expert Member
  • Total Posts : 6050
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2018/12/22 14:05:26 (permalink) ☄ Helpfulby Adam18290 2019/08/23 14:19:35
5 (1)
I think (and please take this as a hint for further research only) that one could/should use a VIP in this case.
Even if you think "VIPs are for destination NAT, I need source NAT". VIPs have 2 properties:
- they respond to arp (proxy arp)
- they automatically apply source NAT for the reverse traffic (!)
 
I faintly remember there was a KB article applying this, with "1:1 NAT" in the title. Time permitting I will re-edit my post to include a link to it. It was surprisingly easy to apply and worked right away.
I personally dislike secondary addresses as they are quite 'invisible' in the GUI yet they interact fully. Maybe the VIP will do the trick.
 
edit:
ah, found it: https://kb.fortinet.com/k...ypeID=DT_KCARTICLE_1_1
post edited by ede_pfau - 2018/12/22 14:12:32

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#4
varriola
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/21 09:41:10
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2018/12/22 15:25:48 (permalink)
0
Interesting. I will look into it. 
I went with the method that I did because that's what Fortinet support suggested.
#5
Adam18290
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/23 14:18:12
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2019/08/23 14:25:57 (permalink)
0
Going off the article in https://kb.fortinet.com/k...ypeID=DT_KCARTICLE_1_1, do you happen to know if the translation occurs in the opposite direction i.e. if network 'External' initiates traffic to 192.168.37.5, will that be mapped to 10.10.10.43 or does this only work when initiated from the inside?
 
Best,
Adam
#6
ede_pfau
Expert Member
  • Total Posts : 6050
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2019/08/24 12:23:13 (permalink)
0
Yes, of course. That is the normal way to employ a VIP. The trick here is that VIPs will not only DNAT inbound, but SNAT outbound, so to conceal the internal address completely. This is used in the KB article to SNAT 1:1. But DNAT will occur as well.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#7
Adam18290
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/23 14:18:12
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2019/08/24 13:09:23 (permalink)
0
So it’s essentially one to one NAT on a mass scale and the mappings are Consistent i.e .1 translates to .1
Similar to the way Cisco implement NAT when you specify the source and destination network and mask in the NAT statement
#8
ede_pfau
Expert Member
  • Total Posts : 6050
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2019/08/25 03:48:06 (permalink)
0
Correct. IMHO this should / could be implemented in SNAT (IPpools) as well. Seems nobody has asked yet...

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#9
smari
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/11/10 01:11:11
  • Location: Iceland
  • Status: offline
Re: Fortigate 500D - NAT Entire Subnets 2019/08/26 04:22:32 (permalink)
0
I've done similar scenarios without adding secondary ip on the interface.
Did you check if your IPpool has "arp-reply" enabled ?

NSE7, FMG, FAC, FAZ .
1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
 
#10
Jump to:
© 2019 APG vNext Commercial Version 5.5