Problem
You want to allow users on the Internet to access a web server on your internal network. You have an Internet address for the web server (172.20.120.11) that is different than the Internet address of the FortiGate wan1 interface (172.20.120.14).
Solution
In this DNAT example, to allow connections to the web server, you must configure the FortiGate unit to accept HTTP sessions with a destination address 172.20.120.11 and translate this destination IP address to 192.168.1.110 before forwarding the session to the web server.
1Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that maps the wan1 interface IP address to the web server IP address.
Name
|
Web Server VIP
|
External Interface
|
wan1
|
Type
|
Static NAT
|
External IP Address/Range
|
172.20.120.11-172.20.120.11
|
Mapped IP Address/Range
|
192.168.1.110-192.168.1.110
|
2Select OK to save the VIP.
3Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the Internet to access the web server.
Source Interface/Zone
|
wan1
|
Source Address
|
all
|
Destination Interface/Zone
|
internal
|
Destination Address
|
Web Server VIP
|
Schedule
|
always
|
Service
|
HTTP
|
Action
|
ACCEPT
|
4Select OK to save the security policy.
If you select NAT, the source address is changed to the internal interface address. Normally, you would not want to perform source NAT since this has the affect of hiding the actual source address of the sessions.
|
Results
All HTTP packets accepted by this security policy have their destination IP addresses translated from 172.20.120.11 to 192.168.1.110 before being forwarded to the Internal network where they are received by the web server. The source IP address and source port are not changed.
Test destination NAT by browsing to http://172.20.120.11 from the Internet. The session passes through the FortiGate unit to the web server which sends a response. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4
interfaces=[any]
filters=[port 80]
3.454327 wan1 in 172.20.120.12.51526 -> 172.20.120.11.80: syn 3420016827
3.458908 internal out 172.20.120.12.51526 -> 192.168.1.110.80: syn 3420016827
3.459044 internal in 192.168.1.110.80 -> 172.20.120.12.51526: syn 3323826862 ack 3420016828
3.468915 wan1 out 172.20.120.11.80 -> 172.20.120.12.51526: syn 3323826862 ack 3420016828
3.469133 wan1 in 172.20.120.12.51526 -> 172.20.120.11.80: ack 3323826863
3.469260 internal out 172.20.120.12.51526 -> 192.168.1.110.80: ack 3323826863
3.470322 internal in 192.168.1.110.80 -> 172.20.120.12.51526: psh 3323826863 ack 3420017308
3.470453 wan1 out 172.20.120.11.80 -> 172.20.120.12.51526: psh 3323826863 ack 3420017308
•The first output line shows a packet from a client device with IP address 172.20.120.12 was received by the wan1 interface with destination address 172.20.120.11 and destination port 80.
•The second output line shows that when the packet exits the internal interface the destination address is changed to 192.168.1.110 and the destination port is still 80.
•The third output line shows the response from the web server.
•The fourth output line shows the response from the web server being returned to the client device. The source address has been changed back to 172.20.120.11.
•The source port is not changed.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph form the policy to view the top sessions by source address, destination address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.
Allowing the web server to connect to the Internet
You can add the following security policy to allow sessions from the web server to connect to the Internet. (The web server might need to contact servers on the Internet for software updates, etc.)
Source Interface/Zone
|
internal
|
Source Address
|
all
|
Destination Interface/Zone
|
wan1
|
Destination Address
|
all
|
Schedule
|
always
|
Service
|
ANY
|
Action
|
ACCEPT
|
Select Enable NAT and Use Destination Interface Address.
All sessions from the web server to the Internet that are accepted by this security policy have their source addresses translated to 172.20.120.14, the wan1 interface IP address. Start a connection from the web server to the Internet and use the following packet sniffer command to see the results:
diagnose sniffer packet any 'port 80' 4 6
interfaces=[any]
filters=[port 80]
16.796304 internal in 192.168.1.110.2703 -> 172.20.120.101.80: syn 2181076939
16.798962 wan1 out 172.20.120.14.55811 -> 172.20.120.101.80: syn 2181076939
16.799160 wan1 in 172.20.120.101.80 -> 172.20.120.14.55811: syn 1829260053 ack 2181076940
16.799335 internal out 172.20.120.101.80 -> 192.168.1.110.2703: syn 1829260053 ack 2181076940
16.799493 internal in 192.168.1.110.2703 -> 172.20.120.101.80: ack 1829260054
16.799594 wan1 out 172.20.120.14.55811 -> 172.20.120.101.80: ack 1829260054
Blogger Comment
Facebook Comment