Policy with source NAT
Static SNAT
NAT or Network Address Translation is the process that enables a single device such as a router or firewall to act as an agent between the Internet or Public Network and a local or private network. This agent acts in real time to translate the source or destination IP address of a client or server on the network interface. For the source IP translation, this enables a single public address to represent a significantly larger number of private addresses. For the destination IP translation, the firewall can translate a public destination address to a private address. So we don’t have to configure a real public IP address for the server deployed in a private network.
We can subdivide NAT into two types: source NAT (SNAT) and destination NAT (DNAT). This topic is about SNAT, We support three NAT working modes: static SNAT, dynamic SNAT, and central SNAT.
In static SNAT all internal IP addresses are always mapped to the same public IP address. This is a port address translation, Since we have 60416 available port numbers, this one public IP address can handle the conversion of 60,416 internal IP addresses. See example below.
FortiGate firewall configurations commonly use the Outgoing Interface address.
Sample configuration
The following example of static SNAT uses an internal network with subnet 10.1.100.0/24 (vlan20) and an external/ISP network with subnet 172.16.200.0/24 (vlan30).
When the clients in internal network need to access the servers in external network, We need to translate IP addresses from 10.1.100.0/24 to an IP address 172.16.200.0/24, In this example, we implement static SNAT by creating a firewall policy.
To configure static NAT:
- In Policy & Objects > IPv4 Policy, click Create New.
- Enter the required policy parameters.
- Enable NAT and select Use Outgoing Interface Address.
- If needed, enable Preserve Source Port.
Enable Preserve Source Port to keep the same source port for services that expect traffic to come from a specific source port.
Disable Preserve Source Port to allow more than one connection through the firewall for that service.
For packets that match this policy, its source IP address is translated to the IP address of the outgoing interface.
Dynamic SNAT
Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses. In the
FortiGate firewall, this can be done by using IP pools. IP pools is a mechanism that allows sessions leaving the FortiGate firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that FortiGate interface.
IP pool types
FortiGate uses four types of IPv4 IP pools. This recipe focuses on some of the differences between them.
Overload
This type of IP pool is similar to static SNAT mode. We just need to define an external IP range, This range can contain one or multiple IP addresses, When there is only one IP address, it almost as same as static SNAT – use Outgoing Interface address. When it contains multiple IP addresses, It is equivalent to an extended mode of static SNAT.
For instance, if we define an overload type IP pool with two external IP addresses (172.16.200.1—172.16.200.2), since there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses. See example below.
One-to-one
This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one. The port address translation (PAT) is disabled when using this type of IP pool. For example, if we define a one-to-one type IP pool with two external IP addresses (172.16.200.1-172.16.200.2), this IP pool only can handle two internal IP addresses.
Fixed port range
For the overload and one-to-one IP pool types, we do not need to define the internal IP range. For the fixed port range type of IP pool, we can define both internal IP range and external IP range. Since each external IP address and the number of available port numbers is a specific number, if the number of internal IP addresses is also determined, we can calculate the port range for each address translation combination. So we call this type fixed port range. This type of IP pool is a type of port address translation (PAT).
For instance, if we define one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.110.1.100.10), we have translation IP+Port combination like following table:
Port block allocation
This type of IP pool is also a type of port address translation (PAT). It gives users a more flexible way to control the way external IPs and ports are allocated. Users need to define Block Size/Block PerUser and external IP range. Block Size means how many ports each Block contains. Block perUser means how many blocks each user (internal IP) can use.
Following is a simple example:
External IP Range: 172.16.200.1—172.16.200.1
Block Size: 128 Block Per User: 8
Result:
Total-PBAs: 472 (60416/128)
Maximum ports can be used per User (Internal IP Address): 1024 (128*8)
How many Internal IP can be handled: 59 (60416/1024 or 472/8)
Sample configuration
To configure Overload IP pool using the GUI:
- In Policy & Objects > IP Pools, click Create New.
- Select IPv4 Pool and then select Overload.
To configure Overload IP pool using the CLI:
config firewall ippool
edit “Overload-ippool” set startip 172.16.200.1 set endip 172.16.200.1
next
end
To configure One-to-One IP pool using the GUI:
- In Policy & Objects > IP Pools, click Create New.
- Select IPv4 Pool and then select One-to-One.
To configure One-to-One IP pool using the CLI:
config firewall ippool
edit “One-to-One-ippool” set type one-to-one set startip 172.16.200.1 set endip 172.16.200.2
next
end
To configure Fixed Port Range IP pool using the GUI:
- In Policy & Objects > IP Pools, click Create New.
- Select IPv4 Pool and then select Fixed Port Range.
To configure Fixed Port Range IP pool using the CLI:
config firewall ippool edit “FPR-ippool”
set type fixed-port-range set startip 172.16.200.1 set endip 172.16.200.1 set source-startip 10.1.100.1 set source-endip 10.1.100.10
next
end
To configure Port Block Allocation IP pool using the GUI:
- In Policy & Objects > IP Pools, click Create New.
- Select IPv4 Pool and then select Port Block Allocation.
To configure Port Block Allocation IP pool using the CLI:
config firewall ippool edit PBA-ippool set type port-block-allocation set startip 172.16.200.1 set endip 172.16.200.1 set block-size 128 set num-blocks-per-user 8
next
end
Central SNAT
The central SNAT table enables you to define and control (with more granularity) the address translation performed by FortiGate. With the NAT table, you can define the rules for the source address or address group, and which IP pool the destination address uses.
While similar in functionality to IP pools where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to ensure the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by FortiGate. With the central NAT table, you have full control over both the IP address and port translation.
FortiGate reads the NAT rules from the top down until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. NAT policies can be rearranged within the policy list. NAT policies are applied to network traffic after a security policy.
The central SNAT table allows you to create, edit, delete, and clone central SNAT entries.
Central SNAT notes
- The central NAT feature in not enabled by default.
- If central NAT is enabled, the NAT option under IPv4 policies is skipped and SNAT must be done via centralsnat-map. The IPv4 policy list and dialog boxes have messages and redirection links to show this information. l If NGFW mode is policy-based, then it is assumed that central NAT (specifically SNAT) is enabled implicitly.
- The option to toggle NAT in central-snat-map policies has been added. Previously it was only shown in NGFW policy-based mode.
- In the central SNAT policy dialog box, the port mapping fields for the original port have been updated to accept ranges.
- If per VDOM NAT is enabled, NAT is skipped in firewall policy. l The central SNAT window contains a table of all the central SNAT policies.
Sample configuration
To enable or disable central SNAT using the CLI:
config system settings set central-nat [enable | disable]
end
When central NAT is enabled, Policy & Objects displays the Central SNAT section.
To create central SNAT using the GUI:
- In Policy & Objects > Central SNAT.
The right pane displays a table of Central SNAT entries.
- To create a new entry, click Create New in the right pane. To edit an entry, double-click the policy you want to edit.
- To set the Incoming Interface, click + in that field.
- In the pane on the right, select an interface to add it. You can select multiple interfaces.
- To set the Outgoing Interface, click click + in that field.
- In the pane on the right, select an interface to add it. You can select multiple interfaces.
- To set the Source Address, click click + in that field.
- In the pane on the right, select an address to add it. You can select multiple addresses.
- To set the Destination Address, click click + in that field.
- In the pane on the right, select an address to add it. You can select multiple addresses.
- In NAT > IP Pool Configuration, select either Use Outgoing Interface Address or Use Dynamic IP Pool.
If you select Use Dynamic IP Pool, click + and select which IP pool to use.
- Select one of the following Protocol
- ANY. Use any protocol traffic. l TCP. Use TCP traffic only. Protocol number is set to 6. l UDP. Use UDP traffic only. Protocol number is set to 17. l SCTP. Use SCTP traffic only. Protocol number is set to 132.
- Specify. You can specify the traffic filter protocol by setting the protocol number.
- If you use the Overload type of IP pool, you can enable Explicit Port Mapping.
- If you enable Explicit Port Mapping, set the Original Source Port to the start number of the source port range.
- Set the Translated Port to the start number of the translated port range.
- Click OK.
To configure central SNAT using the CLI:
config firewall central-snat-map
edit <policyID number>set status [enable|disable] set orig-addr <valid address object preconfigured on the FortiGate> set srcintf <name of interface on the FortiGate>
set dst-addr <valid address object preconfigured on the FortiGate> set dstintf <name of interface on the FortiGate> set protocol <integer for protocol number> set orig-port <integer for original port number> set nat-port <integer for translated port number> set comments <string>
end
To set NAT to be not available regardless of NGFW mode:
config firewall central-snat-map edit 1 set orig-addr “192-86-1-86” set srcintf “port23” set dst-addr “192-96-1-96” set dstintf “port22” set nat-ippool “pool1” set protocol 17 set orig-port 2896-2897 set nat enable
end
To hide NAT port if NAT IP pool is not set or if NAT is disabled:
config firewall central-snat-map edit 1 set orig-addr “192-86-1-86” set srcintf “port23” set dst-addr “192-96-1-96” set dstintf “port22” set nat-ippool “pool1” set protocol 17 set orig-port 2896-2897 set nat disable
end
To change original port to accept range:
config firewall central-snat-map edit 1
set orig-addr “192-86-1-86” set srcintf “port23” set dst-addr “192-96-1-96” set dstintf “port22” set nat-ippool “pool1” set protocol 17 set orig-port 2896-2897 (help text changed to: Original port or port range).
set nat-port 35804-35805
end