At work we recently migrated to a different Internet Service Provider. This migration brought many changes, but a big one for me as the network administrator was the fact that we would be handling our own address space and network address translation (NAT). Although Fortigate support was great at confirming the NAT configuration process for me, I found that the documentation of NAT Overload/PAT configuration was lacking. My hope is that someone out there will find this document useful in their work environment.
I will be using the Fortigate web interface for all configuration steps. The unit I am using is a Fortigate 800 running software 4.0.2,build0099. Other versions or Fortigate models may use a different process to configure NAT.
Before starting, ensure that your Fortigate is in NAT mode. This can be accomplished by going to the “Operation” tab under System -> Config. Keep in mind that you will lose many, if not all, of your policies and settings by making this change. Be sure to backup your configuration file first so you have something to fall back on if things go south.
NAT Overload/PAT Configuration
NAT overload, also called Port Address Translation (PAT), is a process used to allow many computers to access the Internet using one or more IP addresses. This is used when you have a large number of computers on your LAN, but your public IP address space does not allow for a one to one mapping of public IP addresses for each computer. Without going into detail, PAT uses one public IP address with a TCP port number appended to the IP address. The port number is what is used to identify which session maps to which computer.
First a public IP address must be assigned to the external interface on your firewall. This can be accomplished by going to System -> Network -> Interface tab. On the Interface tab, click the edit icon for the external interface. You will see the screen below:
Under “Addressing mode”, click “Manual” and enter the IP address and subnet mask. The IP address and subnet mask should be separated by a forward slash like this: “126.96.36.199/255.255.255.0”. Click “Ok” to save your changes.
Next, we need to make sure the firewall knows how to get where it needs to go. This is done through routes under the Router -> Static -> Static Routes tab. Here, you’re probably going to need at least two routes. The first route you will need is a default route, which is represented using “0.0.0.0/0.0.0.0”. Here the gateway address should be set to the next hop of your Internet bound routing equipment.
Now your firewall needs to know how to get back to your LAN subnets. It’s up to you how you configure this, but for simplicity sake we will use a blanket route. Say all of the IP addresses on your LAN subnets start with “10.70.xxx.xxx”, you can simply create a route for all of the subnets that start with “10.70” using the following IP address and subnet mask combination: “10.70.0.0/255.255.0.0”. You may choose to be more specific with your routes.
Below is an example route configuration. This is used on a production Fortigate, so I have blocked out some information to protect the innocent.
Now that the routing has been setup we can create a policy to allow outbound traffic and enable NAT. This is accomplished by going to the “Policy” tab under Firewall -> Policy. Once there, click the “Create New” tab. Here you will be presented with a list of options, but we will focus on a select few.
The “Source Interface” and “Destination Interface” options are self explanatory. We are going to set the source to “Internal” and the destination to “External” since we want to configure internal to external translation (the translation table will automatically handle the reverse mapping). The next crucial step is to ensure that the “NAT” checkbox is selected to enable NAT for this policy. You can create an “allow all” policy for now just to test if NAT is working. Various “what’s my IP” web sites should be able to confirm that the public IP address of the external interface on the firewall is being used for NAT.
One note about the NAT checkbox; it needs to be checked for any internal to external policy that you wish to allow traffic. At work I have a policy that blocks outbound RDP access; however there is one vendor’s server to which we need to permit outbound RDP access. If you create the outbound policy and place it in the appropriate spot on the policy list, but forget to check the NAT option the policy will not work. If things don’t seem to be working as they should, or is seems that the policy is being ignored, always check the Nat checkbox!
That covers NAT overload/PAT configuration on the Fortigate 800. In a follow-up article I will cover static NAT configuration, which is a less involved process.