configuration best practice
my goal is to migrate an existing old cisco ASA configuration to Fortigate.
The ASA uses a few different VLANs and there are more than 500 dnat translations (bidirectional with cisco’s "static" configuration). Some addresses have a static nat rule with a network range, eg. /27, some static nat rules are /32. If there is an existing static nat rule, the "outgoing ip" (snat) is the same as the ip of the dnat configuration. Also, some services must communicate together over the VLANs (VLAN a to VLAN b with applied firewall rules).
I’ve found out, that I can use the "nat-source-vip enable" command to use the dnat/VIP ip for outgoing / snat connections.
What will be the best practice to reach the goal (performance, security, keep configuration as simple as possible)?
- Use central snat/dnat? If yes:
- Use 1 default SNAT rule for services not having a public IP and +500 dnat rules for services having a public IP (with nat-source-vip enabled)? (e.g. use interface IP 10.1.1.1 for SNAT and 10.1.1.2-255 for DNAT). It’s a problem having more than 500 DNAT rules in the system?
- If 1 SNAT and x DNAT rules: One DNAT rule for each IP or can I combine IP ranges and single IP adresses in the ruleset? It’s necessary to apply different firewall service rules, even when the IP addresses are in the same central DNAT rule.
(e.g. 10.1.1.2/32 dnat, 10.1.1.3/32 (Host), 10.1.1.32/27 (Range), ... in DNAT; in firewall-rule: one rule for 10.1.1.33, another for 10.1.1.34 even both addresses are in the 10.1.1.32/27 dnat rule)
- Or it’s better to use policy nat? If yes: Use multiple interfaces in one firewall rule (e.g. 20 VLANs must access DNS servers in VLAN 1).
Are there any other tips that will help me?
Thanks in Advantage.