Lab 3 - Nat PDF

DO NOT REPRINT
© FORTINET
Lab 3: Network Address Translation (NAT)
NAT is used to perform source NAT (SNAT) and destination NAT (DNAT) for the traffic passing through
FortiGate. There are two ways to configure source NAT and destination NAT:
l Firewall policy NAT

l Central NAT
In this lab, you will configure and test firewall policy NAT for SNAT using IP pool, and for DNAT using virtual IP
(VIP).
You will configure and test SNAT using the central SNAT policy and DNAT using the DNAT policy and VIPs.
Objectives
l Configure destination NAT settings using a VIP.
l Configure the source NAT settings using overload IP pools.
l Configure a central NAT policy for the source NAT.
l Configure DNAT and VIPs for the destination NAT.
Time to Complete
Estimated: 50 minutes
Prerequisites
Before starting the procedures in this lab, you must restore a configuration file on each FortiGate.
Make sure to restore the correct configuration in each FortiGate using the following
steps. Failure to restore the correct configuration on each FortiGate will prevent you
from doing the lab exercise.
To restore the Remote-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
FortiGate Security 6.0 Lab Guide 53

Fortinet Technologies Inc.
DO NOT REPRINT Lab 3: Network Address Translation (NAT)
© FORTINET
3. Click Local PC,and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > NAT > remote-nat.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.
To restore the Local-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user

4. Click Desktop > Resources > FortiGate-Security > NAT > local-nat.conf, and then click Open.
5. Click OK.
54 FortiGate Security 6.0 Lab Guide

DO NOT REPRINT
© FORTINET
Exercise 1: Access Through VIPs
VIP addresses are typically used to translate external or public IP addresses to internal or private IP addresses.
In this exercise, you will configure a VIP address for the Local-Windows VM. Then, you will create an egress-to-
ingress firewall policy and apply a VIP address. This will allow Internet connections to the Local-Windows VM.
You will also verify the destination NAT (DNAT) and source NAT (SNAT) behavior using CLI commands.
Create a VIP
On FortiGate, a VIP is a destination NAT (DNAT), which you can select only in a firewall policy’s destination
address field.
In this procedure, you will configure the VIP to map the Local-Windows VM (10.0.1.10) to 10.200.1.200,
which is a part of the port1 subnet. You can refer to the lab Network Topology on page 10 diagram.
To create a VIP
2. Click Policy & Objects > Virtual IPs.
3. Click Create New, and then select Virtual IP.
4. Configure the following settings:
Field Value
Name VIP-INTERNAL-HOST
Interface port1
(port1 is connected to the Internet with IP address 10.200.1.1/24.)
External IP Address/Range 10.200.1.200 - 10.200.1.200
(This is the IP address in the same range as the port1 subnet.)
Mapped IP Address/Range 10.0.1.10

DO Create
NOT REPRINT
a Firewall Policy Exercise 1: Access Through VIPs
© FORTINET
5. Click OK.
Create a Firewall Policy
You will configure a new firewall policy using the VIP that you just created as the destination address.
To create a firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Click Create New.
Field Value
Name Web-Server-Access
Incoming Interface port1
Outgoing Interface port3
Source all
Destination VIP-INTERNAL-HOST
Tip: Listed under the Virtual IP section
Schedule always
Service HTTP, HTTPS
Tip: In right pane, type the name in the search box, and then click
Services to add.
Action ACCEPT

DO Exercise
NOT1: Access
REPRINT
Through VIPs Create a Firewall Policy
© FORTINET
4. In the Firewall / Network Options section, turn off the NAT switch.
5. In the Logging Options section, turn on the Log Allowed Traffic switch, and then select All Sessions.
6. Click OK.

DO Test
NOT the VIPREPRINT
Firewall Policy Exercise 1: Access Through VIPs
© FORTINET
Test the VIP Firewall Policy
Now that you've configured a firewall policy with the VIP address as the destination, you can test your VIP by
accessing it from the Remote-Windows VM, which is behind the Remote-FortiGate internal network. Traffic is
routed from the Remote-FortiGate to the Local-FortiGate by a Linux machine, which acts as a router between
these two FortiGate devices. For more information, see Network Topology on page 10.
You will also test how the source address is translated by the VIP when traffic is leaving from the Local-Windows
VM.
To test VIPs (DNAT)

1. On the Remote-Windows VM, open a web browser and go to the following URL:
http://10.200.1.200
If the VIP operation is successful, a simple web page opens.
2. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
3. At the login prompt, enter the user name admin and password password.
4. Enter the following command to check the destination NAT entries in the session table:
get system session list
Sample output:
Local-FortiGate# get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
tcp 3594 10.200.3.1:49478 - 10.200.1.200:80 10.0.1.10:80
You will notice that the destination address 10.200.1.200 is translated to 10.0.1.10, which is the
mapping you configured in the VIP.

DO Exercise
NOT1: Access
REPRINT
Through VIPs Test the Source NAT
© FORTINET
Test the Source NAT
As a result of the VIP (which is a static NAT), all translated outgoing connections from the Local-Windows VM (IP
address 10.0.1.10) will use the VIP address to source NAT for the ingress-to-egress firewall policy and not the
egress interface IP address.
To test SNAT
1. Continuing on Local-Windows, return to the Local-FortiGate PuTTY session and run the following command to
clear any existing sessions:
diagnose sys session clear
The CLI command diagnose sys session clear will clear all sessions
including SSH session you created using PuTTY. This is expected behavior.
The firewall is stateful, so any existing sessions will not use this new firewall policy
until they time out or are cleared for ingress-to-egress traffic.
This clears the session to the Local-FortiGate from the Local-Windows VM.
2. Close the PuTTY window.

3. Open a web browser tab and connect to a few websites, for example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
4. Open PuTTY, and connect over SSH to the LOCAL-FORTIGATE saved session.
6. Run the following command to view the session information:
Sample output:

DO Test
NOT REPRINT
the Source NAT Exercise 1: Access Through VIPs
© FORTINET
The outgoing connections from the Local-Windows VM are now being translated with
the VIP address 10.200.1.200, instead of the firewall egress interface IP address
(10.200.1.1).
This is a behavior of the SNAT VIP. That is, when you enable SNAT on a policy, a VIP static NAT takes
priority over the destination interface IP address.
7. Close the PuTTY session.

8. Close all browser tabs except the Local-FortiGate GUI.

DO NOT REPRINT
© FORTINET
Exercise 2: Dynamic NAT With IP Pools
IP pools are used to translate the source address to an address from that pool, rather than the egress interface
address.
Currently, the Local-FortiGate translates the source IP address of all traffic generated from the Local-Windows
VM to 10.200.1.200 because of the SNAT translation in the VIP.
In this exercise, you will create an IP pool, apply it to the ingress-to-egress firewall policy, and verify the SNAT
address using CLI commands.
Create an IP Pool
In this procedure, you will create an IP pool from the range of public IP addresses available on the egress port
(port1).
To create an IP pool
2. Click Policy & Objects > IP Pools.
3. Click Create New and configure the following settings:
Field Value
Name INTERNAL-HOST-EXT-IP
Type Overload
External IP Range/Subnet 10.200.1.100 - 10.200.1.100
4. Click OK.
Edit a Firewall Policy to Use the IP Pool
Now, you will apply the IP pool to change the behavior from static NAT to dynamic NAT on the ingress-to-egress
firewall policy.

DO Test
NOT REPRINT
Dynamic NAT with IP Pools Exercise 2: Dynamic NAT With IP Pools
© FORTINET
To edit the firewall policy
2. Right-click the ID column for the Full_Access firewall policy and click Edit.
3. In the Firewall / Network Options section, configure the following settings:
Field Value
NAT <enable>
IP Pool Configuration Use Dynamic IP Pool
4. Click the + that appeared when you clicked Use Dynamic IP Pool, and from the right pane, click INTERNAL-
HOST-EXT-IP.
Your configuration will look similar to the following example:
5. Click OK.
Test Dynamic NAT with IP Pools
Now that your configuration is ready, you can test dynamic NAT with IP pools by browsing to a few external sites
on the Internet. If successful, you will see that the Local-Windows VM IP address (10.0.1.10) is translated to
the IP pool address of 10.200.1.100.

DO Exercise
NOT2: Dynamic
REPRINT
NAT With IP Pools Test Dynamic NAT with IP Pools
© FORTINET
To test dynamic NAT with IP pools
1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved
session.
3. Run the following command to clear any existing sessions:
including the SSH session you created using PuTTY. This is expected behavior.
The firewall is stateful, so any existing sessions will not use this updated firewall policy
until they time out or are cleared for ingress-to-egress traffic.

5. Open several broswer tabs and connect to a few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
5. Open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
7. Run the following command to verify the source NAT IP address that those sessions are using:
Sample output:

DO Test
NOT REPRINT
Dynamic NAT with IP Pools Exercise 2: Dynamic NAT With IP Pools
© FORTINET
Notice that the source NAT address is now 10.200.1.100, as configured in the IP pool, and the IP pool
has overridden the static NAT VIP.
8. Close PuTTY.

DO NOT REPRINT
© FORTINET
Exercise 3: Configure Central SNAT
A central SNAT policy is applied to multiple firewall policies, based on a configured central rule.
In this exercise, you will configure a central SNAT policy and test it.
Prerequisites
Before beginning this lab, you must restore a configuration for central NATfile to Local-FortiGate.
Make sure to restore the correct configuration for Local-FortiGate using the following
steps. Failure to restore the correct configuration on Local-FortiGate will prevent you
from doing the lab exercise.
To restore the Local-FortiGate configuration file


4. Click Desktop > Resources > FortiGate-Security > NAT> local-central-nat.conf, and then click
Open.
5. Click OK.

DO Configure
NOTCentralREPRINT
SNAT Policy Exercise 3: Configure Central SNAT
© FORTINET
When enabling central NAT, you must remove VIP and IP pool references from the
existing firewall policies first.
For example, you will see the following error if you try to enable central NAT without
removing VIP and IP pool references from the existing firewall policies.
To prevent this error from occurring during this exercise, the VIP and IP pool
references must be removed from the firewall policies.
1. The IP pool has been removed from the Full_Access firewall policy (policy ID 1),
and the VIP address has been removed from the Web-Server-Access firewall
policy (policy ID 2), because central NAT can be enabled only if none of the firewall
policies have IP pool and VIP addresses associated with them.
2. The VIP object you added in a previous exercise to test the firewall policy source
NAThas been removed.
Configure Central SNAT Policy
In this procedure, you will configure a central SNAT policy using the IP pool you created in the previous exercise.
To review IP Pool Configuration

2. Click Policy & Objects > IP Pools.
3. Review the settings of INTERNAL-HOST-EXT-IP.
To configure a central NAT policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Central SNAT.
Field Value
Incoming Interface any
Outgoing Interface any
Source address all
Destination address all
NAT <enable>

DO Exercise
NOT3: Configure
REPRINTCentral SNAT Configure Central SNAT Policy
© FORTINET
Field Value
Click + and select INTERNAL-HOST-EXT-IP
Protocol ANY
3. Keep the default values for the remaining settings and click OK to save the changes.
NAT is enabled on the central SNAT policy.
If no central SNAT or matching central SNAT rule exists, FortiGate drops the
traffic.

DO Review
NOT the REPRINT
Firewall Policy Exercise 3: Configure Central SNAT
© FORTINET
Review the Firewall Policy
In this procedure, you will review the firewall policy.
To verify that NAT is enabled on firewall policy

2. Right-click the ID column for the Full_Access firewall policy and click Edit.
3. Review the Firewall / Network Options of the Full_Access policy.
There is no option for enabling NAT and/or using IP pools. In central SNAT, NAT on
the SNAT policy controls whether the NAT is used or not.
4. Click Cancel.
Test Central SNAT
Now that your configuration is ready, you can test the behavior of the central SNAT policy.
To test central SNAT


DO Exercise
NOT3: Configure
REPRINTCentral SNAT Create a Second IP Pool
© FORTINET
3. Run the following command to clear the existing sessions:
including the SSH session you created using PuTTY. This is expected behavior.

5. Open multiple browser tabs and connect to a few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
8. Run the following command to verify the source NAT IP address that those sessions are using:
Sample output:
Notice that the source NAT address is now 10.200.1.100, which matches the IP Pool configured in central
SNAT policy.
9. Close PuTTY.
Create a Second IP Pool
Now you will create a second IP Pool, which you will use later when creating a second central SNAT policy.

DO Create
NOT REPRINT
a Second SNAT Policy Exercise 3: Configure Central SNAT
© FORTINET
Take the Expert Challenge!
On the Local-FortiGate GUI, create a second IP Pool named SNAT-Pool with IP range 10.200.1.50 -
10.200.1.50 and the type as Overload.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Create a Second SNAT Policy on page 70
To create a second IP Pool

1. On the Local-FortiGate GUI, click Policy & Objects > IP Pools.
Field Value
Name SNAT-Pool
Type Overload
External IP Range 10.200.1.50 - 10.200.1.50
3. Click OK.
Create a Second SNAT Policy
Now you will create a more granular SNAT policy by selecting a specific destination address and protocol to
match specific traffic.
Take the Expert Challenge!

On the Local-FortiGate GUI, create a second SNAT policy for REMOTE_FORTIGATE as a destination to
allow only the TCP protocol using SNAT_Pool for traffic from port3 to port1.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Reorder Central SNAT Policies on page 71
To create second SNAT policy


DO Exercise
NOT3: Configure
REPRINTCentral SNAT Reorder Central SNAT Policies
© FORTINET
Field Value
Incoming Interface port3
Outgoing Interface port1
Source address all
Destination address REMOTE_FORTIGATE
NAT <enable>
Click + and select SNAT-Pool
Protocol TCP
3. Click OK.
Reorder Central SNAT Policies
Now you will reorder the central NAT policies to put the more granular rule at the top.
Similar to firewall policies, a central SNAT policy is processed from top to bottom and, if a match is found, the
source address and source port translate based on that central SNAT policy.

DO Test
NOT CentralREPRINT
SNAT Exercise 3: Configure Central SNAT
© FORTINET
To reorder central SNAT policies
2. Drag the newly created central SNAT policy above the previously created central SNAT policy.
Test Central SNAT
Now that your configuration is ready, you will test the central SNAT configuration.
To test central SNAT

3. Run the following command to clear the existing sessions:

5. Open a new browser tab and log in to the Remote-FortiGate GUI at 10.200.3.1with the user name admin and
password password.
6. Open a command prompt and run a continuous ping to the Remote-FortiGate IP.
ping -t 10.200.3.1
10. Run the following command:
Notice that the TCP sessions to destination 10.200.3.1 are translated to 10.200.1.50, because that
address matches the central SNAT policy.
Sample output:

DO Exercise
NOT3: Configure
REPRINTCentral SNAT Test Central SNAT
© FORTINET
ICMP sessions to destination 10.200.3.1 are translated to 10.200.1.100, which matches the central
SNAT policy at the bottom.
Sample output:
11. Open several browser tabs and connect to a few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
12. Return to LOCAL-FORTIGATE PuTTY session.
13. Run the following command:
Also, other TCP sessions to different destinations are translated to 10.200.1.100, based on the
matching central SNAT policy at the bottom.
A Central SNAT policy is processed from top to bottom, similar to firewall policies.
14. Close the command prompt and PuTTY.


DO NOT REPRINT
© FORTINET
Exercise 4: DNAT and VIPs
In firewall policy NAT, Virtual IPs is selected in the firewall policy as the destination address. In central NAT, as
soon as DNAT & Virtual IPs is configured, FortiGate automatically creates a rule in the kernel to allow DNAT to
occur, and no additional configuration is required.
In this exercise, you will configure and test the behavior of central DNAT.
Create DNAT and VIPs
In this procedure, you will configure DNAT and VIPs.
To create DNAT and VIPs

2. Click Policy & Objects > DNAT & Virtual IPs.
3. Click Create New, and then select DNAT & Virtual IP.
Field Value
Name Central-DNAT
Interface port1
Type Static NAT (default setting)
External IP Address/Range 10.200.1.150 - 10.200.1.150
Mapped IP Address/Range 10.0.1.10
5. Click OK.

DO Exercise
NOT4: DNAT
REPRINT
and VIPs Verify the Firewall Policy Settings
© FORTINET
Verify the Firewall Policy Settings
Now, you will verify the firewall policy settings for the egress-to-ingress firewall policy.
To verify the firewall policy settings

2. Right click ID column of the Web-Server-Access firewall policy, and then click Edit.
3. Review the settings of the firewall policy.
4. Try to select the DNAT & Virtual IPs address in the firewall destination address.
You will be not able to do so.
You can't select VIPs previously created in a firewall policy as a destination address.
As soon as a VIP object is created, FortiGate automatically creates a rule in the kernel
for DNAT to occur.
5. Scroll to the bottom of the page and ensure the Enable this policy switch is turned on.
6. Click OK.
Testing DNAT and VIPs
In this procedure, you will test DNAT and VIPs by accessing the Local-Windows VM.
To test DNAT and VIPs

1. On the Remote-Windows VM, open a web browser and access the following URL:
http://10.200.1.150
If the VIP operation is successful, a simple web page opens.
2. Return to the Local-Windows VM.

5. Run the following command to check the destination NAT entries in the session table:
Sample output:
Local-FortiGate # get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

DO Testing
NOTDNAT REPRINT
and VIPs Exercise 4: DNAT and VIPs
© FORTINET
tcp 3599 10.200.3.1:49183 10.200.1.100 10.200.1.150:80 10.0.1.10:80
6. Open additional web browser tabs and try to access few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
7. Return to the Local-FortiGate PuTTY session and verify the SNAT IP address those sessions are using:
Sample output:
Notice that the session originating from source IP, 10.0.1.10, is translated to 10.200.1.150 (VIP) as
opposed to the central SNAT policy pool IP of 10.200.1.100. This is expected behavior in central NAT.
If both the SNAT and DNAT are defined, the egress traffic will source NAT to the
DNAT/VIP address, as opposed to the configured source SNAT policy.
8. Close PuTTY.


Lab 3 - Nat PDF

Uploaded by

Copyright:

Available Formats

Lab 3 - Nat PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab 3 - Nat PDF

Uploaded by

Copyright:

Available Formats

What is NAT used for in this lab?

What is NAT used for in this lab?

What are the two ways to configure source NAT and destination NAT according to the document?

What are the two ways to configure source NAT and destination NAT according to the document?

DO NOT REPRINT

l Firewall policy NAT

To restore the Remote-FortiGate configuration file

FortiGate Security 6.0 Lab Guide 53

3. Click Local PC,and then click Upload.

To restore the Local-FortiGate configuration file

3. Click Local PC,and then click Upload.

54 FortiGate Security 6.0 Lab Guide

(port1 is connected to the Internet with IP address 10.200.1.1/24.)

External IP Address/Range 10.200.1.200 - 10.200.1.200

(This is the IP address in the same range as the port1 subnet.)

Mapped IP Address/Range 10.0.1.10

FortiGate Security 6.0 Lab Guide 55

Create a Firewall Policy

To create a firewall policy

Incoming Interface port1

Outgoing Interface port3

Tip: Listed under the Virtual IP section

Service HTTP, HTTPS

56 FortiGate Security 6.0 Lab Guide

FortiGate Security 6.0 Lab Guide 57

Test the VIP Firewall Policy

To test VIPs (DNAT)

If the VIP operation is successful, a simple web page opens.

58 FortiGate Security 6.0 Lab Guide

diagnose sys session clear

2. Close the PuTTY window.

get system session list

FortiGate Security 6.0 Lab Guide 59

7. Close the PuTTY session.

60 FortiGate Security 6.0 Lab Guide

External IP Range/Subnet 10.200.1.100 - 10.200.1.100

Edit a Firewall Policy to Use the IP Pool

FortiGate Security 6.0 Lab Guide 61

IP Pool Configuration Use Dynamic IP Pool

Test Dynamic NAT with IP Pools

62 FortiGate Security 6.0 Lab Guide

diagnose sys session clear

4. Close the PuTTY window.

get system session list

FortiGate Security 6.0 Lab Guide 63

64 FortiGate Security 6.0 Lab Guide

To restore the Local-FortiGate configuration file

3. Click Local PC,and then click Upload.

FortiGate Security 6.0 Lab Guide 65

Configure Central SNAT Policy

To review IP Pool Configuration

To configure a central NAT policy

Incoming Interface any

Outgoing Interface any

Source address all

Destination address all

66 FortiGate Security 6.0 Lab Guide

IP Pool Configuration Use Dynamic IP Pool

Click + and select INTERNAL-HOST-EXT-IP