Fortigate: One to One (Static NAT)

KB ID 0001716

Problem

If you have a host that you want to be able to access from the outside of the firewall e.g. a webserver then this is the process you want to carry out. I didn’t find this process particularly intuitive and it highlighted why I don’t like GUI management interfaces, (in 6.4 the menu names have changed, this rendering a million blog pages inaccurate!)

I’m setting this up in EVE-NG on the work bench and this is what I’m trying to achieve;

Fortigate Web Server NAT

So to access my web server from ‘outside‘ the firewall I need to give it a NATTEDpublic‘ address on 192.168.100.0/24. Here the server is on the LAN if yours is in a DMZ then substitute the DMZ interface for the inside one I’m using.

Solution

First task is to create a ‘Virtual IP‘, this will be the ‘public IP‘ that the web server will use. From the management interface > Policy and Objects > Virtual IPs > Create  New > Virtual IP

Fortigate 1 to 1 NAT Create VIP

‘Give it a sensible name, and add a comment if you wish  >  Set the interface to the public facing port > Type, set to ‘Static NAT‘ > External IP, (although it says range just type in the single public IP) > Internal IP =  Enter the LAN IP > OK.

Fortigate Static NAT VIP

Firewall Policy > Create New.

Note: If your firewall is older then 6.4 the tab is called ‘IPv4 Policy

Fortigate Firewall Policy

Give the entry a name > Incoming interface = the public interface > Outgoing Interface = the inside/LAN interface > Source = ALL > Destination = SET TO YOUR VIRTUAL IP > Schedule = Always > Service = ALL (though you can of course select http and or https in production) > DISABLE NAT. (Trust me I know that makes no sense) > OK.

Static One to One NAT Web Server

Just to prove this is not all ‘Smoke and Mirrors‘ here’s my topology running in EVE-NG, and my external host (Named: Public-Client) Browsing to 192.168.100.110, and the Fortigate translates that to 192.168.1.123

Fortigate Testing static NAT

Related Articles, References, Credits, or External Links

EVE-NG Deploying Fortigate v6 Firewalls

TinyCore Linux: Build a ‘Persistent’ Web Server

Author: PeteLong

Share This Post On

4 Comments

  1. Hope to see more posts on FortiGate! Love this site!

    Post a Reply
    • They are in the pipeline, thanks Tom

      Post a Reply
  2. hahaha

    Apparently, like me, they got tired of suffering with ASA.

    Good job!

    Post a Reply
    • I’m admitting defeat! Cisco are their own worst enemy.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *