Fortigate Static NAT Configuration
In my previous article, I covered how to configure NAT overload, or PAT, on a Fortigate firewall. This time around I will cover how to configure static NAT.
Static NAT is used to map one IP address to another. This is typically used to perform translations from public address space to private address space. Many organizations do not put servers directly on the internet. Instead the servers may sit on a private LAN, or even in a DMZ. Static NAT mappings are used in these cases to allow servers that are sitting behind a firewall to extend services to the Internet.
Static NAT Configuration
Fortigate firewalls call the static NAT function “Virtual IP Mapping”. These virtual IP mappings can be used for static or dynamic NAT; however I will only be covering static NAT with a one to one mapping relationship.
A new virtual IP mapping is created on the “Virtual IP” tab under Firewall -> Virtual IP. On the “Virtual IP” tab, click on the “Create New” button. This will bring you to the “Add New Virtual IP Mapping” page as shown below:
Fill in the following information:
- Name – This is a name that will uniquely identify this mapping. It may be easy to use the name of the server that mapping is for just to keep things simple.
- External Interface – This will almost always be set to “external” unless you have a different configuration.
- External IP Address/Range – Here you can enter either the first and last IP addresses in a range, or just a single IP address (Leaving the second text box empty). Remember to use the public IP address here.
- Internal IP Address/Range – Same as the external IP, except this time you will use the private IP address of the server.
- Port Forwarding – Only use this if people will be sending requests from the outside on one port, while your server will be listening on another. For example if people will be requesting web pages on port 80, but your server’s web server runs on port 8080.
Once you have configured the virtual IP mapping it is time to create the corresponding policy. This will be done by going to Firewall -> Policy and then the “Policy” tab. Click on the “Create New” button to create a new policy.
This time we are going to create a policy for traffic entering our network, so the source interface will be “external” and the destination interface will be “internal” (or DMZ depending on your configuration).
The next crucial step is to set the “Destination Address. If you expand the drop down menu, you will see a section titled “Virtual IP”, under which you should see the name of the “Virtual IP Mapping” that was just created. It’s also good practice to only accept traffic for the services that the server will be running. There is no use in accepting incoming HTTP for a server that only runs SMTP services, plus it’s a good security practice.
Finally, in this case you do not need to select “NAT”. The virtual IP mapping will take care of all of the NAT work.
Now you should be armed to configure all of the basic NAT services on a Fortigate.
Would help if you updated your firmware once and a while to get current with the program of options that are current and not 5+ years old!
Get with the program will ya.
5 Years real world experienced, certified Fortigate Specialist.
Doc
This is very good guide. Its working for good.thanks a lot
@Doc
The screen shots used in both articles are from a Fortigate 800 using the “FGT_800-v400-build0099-FORTINET.out” image. From the time stamp of this file on Fortigate’s FTP site, this image was uploaded on April of 2009. So at the time I wrote this article, the firmware on the Fortigate was only 2 months old).
Thanks for reading my blog!
Hi Chris,
This seems to work fine if I use an ip that is on the same range as my external interface – however I have a need to NAT another range that is routed to my Fortigate by the ISP – and this seems to not work – any ideas ?
(for example if my external is 192.168.1.1/24, I need to NAT 192.168.2.1/24 – this 192.168.2.1/24 is routed to the 192.168.1.1 and I see the traffic hitting the external interface but it never gets forwarded to the inside)
Look forward to your comment.
Thanks in advance.
@Dfine
I’m not near a computer right now, so i can’t reference a specific page in the Fortigate Administrators manual. However, there is a way to assign multiple IP addresses to an interface. I believe that is what you will want to do in order to perform NAT for multiple IP ranges.
Also, make sure your Fortigate has a route for the other IP range pointing out your external interface.
Not to be late to the party here – but great article – very easy to follow..
My issue is that I am trying to get one WAN address to forward traffic to multiple LAN addresses..
So – 4.2.2.2 will have to ports open 80 and 25.. 80 needs to route to 192.168.0.5 and 25 needs to route to 192.168.0.10..
Thanks in advance..
Hi
Thanks for the easy to follow steps. I have just one question. How do I configure the VIP for traffic that is initiated inside the private network? DNS for example needs to forward to a server in another network on a natted address.
Thanks
@Walkerboh42
Have a look at my Fortigate NAT Overload (PAT) article. You can use the PAT address that is assigned to your external interface for any other traffic that does not need a dedicated IP (such as DNS forwarding).
Juts be sure you create a policy that allow DNS queries from your internal server to get to the external DNS servers that you are using. I use this method with our Fortigate and it works well.
@cdm
You will want to have a look at port forwarding as well as the one to many NAT feature. I have not played with these features, so I am unsure of they will accomplish your goal.
Thanks for the reply guys. All working perfectly now.
Next question (might not be the right thread for this). I have setup 4 blades into an ELBC cluster. I need to be able enable RIP. I had RIP working on the HA cluster, but when I changed it to the ELBC it got broken!!
Any suggestions.
Thanks
I have an issue with UPC business; we are using a fortigate 80c. UPC provided us with 4 fixed IP-adresses. However, I could only use 1 on the external interface wan-1, and all mapping with NAT. What I would like to do is use different IP’s for HTTP, FTP-access, Audio-streams, Remote administration. So every use it’s own IP xxx.xxx.xxx.250-254. I can’t get all 4 IP’s been seen on the outside (WAN). Can you help me out ?
@WalkerBoh42
I’m not familiar with the clustering features on the Fortigate units. I am actually in the process of migrating from a single Fortigate 800 to a pair of Juniper SRX240′s.
@Paul Kuhne
On the Fortigate 800 you can add multiple IP addresses to an interface. This is done under the System -> Network -> Interface menu. Once you select the interface you wish to configure (probably External), look for the “Secondary IP Address” option. From there you add the needed IP addresses and choose to enable remote administration (HTTP/HTTPS) on one or more of the IP addresses. Note, this may not be available on the 80c.
Using different IPs based on the external service the workstation is attempting to use is a bit tricky. Most likely you will have to get creative with the firewall policies, however you may not be able to accomplish this with the 80c.