Problem
How to configure static source address translation (or static SNAT) to allow users on a private internal network to connect to the Internet.
The NAT requirement is to translate the source address of packets from the private network. Packets from the private network have a private source address. For communication with an Internet site the private source address must be translated to a public source address so that response packets can be routed on the Internet.
Solution
Static source address translation (or static SNAT) is most often used to allow users on an internal network to connect to the Internet. Static SNAT translates the source addresses of all outgoing packets to the IP address of the external interface. To keep track of individual sessions, the FortiGate unit also translates the source port of all packets. This type of NAT is also called port address translation (PAT), network address and port translation (NAPT), IP masquerading, NAT overload, and many-to-one NAT.
1Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet.
Source Interface/Zone
|
internal
|
Source Address
|
all
|
Destination Interface/Zone
|
wan1
|
Destination Address
|
all
|
Schedule
|
always
|
Service
|
ANY
|
Action
|
ACCEPT
|
2Select Enable NAT and Use Destination Interface Address.
3Select OK to save the security policy.
Results
All packets accepted by this security policy have their source IP addresses translated from a private IP address on the 192.168.1.0 network to the IP address of the wan1 interface (172.20.120.14). As well, the source port is translated to a random source port. The destination IP address and destination port are not changed.
Test source NAT by browsing a website on the Internet from a device on the internal network. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 4
interfaces=[any]
filters=[port 80]
7.863458 internal in 192.168.1.110.3444 -> 172.20.120.101.80: syn 2322143869
7.872937 wan1 out 172.20.120.14.36344 -> 172.20.120.101.80: syn 2322143869
7.873146 wan1 in 172.20.120.101.80 -> 172.20.120.14.36344: syn 593799196 ack 2322143870
7.873325 internal out 172.20.120.101.80 -> 192.168.1.110.3444: syn 593799196 ack 2322143870
•The first output line shows a packet was received by the Internal interface with source address 192.168.110.
•The second output line shows that when the packet exits the wan1 interface the source address is changed to 172.20.120.14.
•The third output line shows that when the response packet is received by the wan1 interface the destination address is still 172.20.120.14.
•The fourth output line shows that when the response packet exits the internal interface to return to the source, its destination address has changed to 192.168.1.110.
•Notice also in this example, the source port is translated from 3444 to 36344 and then back to 3444.
•The source IP of all packets from any source IP is always translated to 172.20.120.14.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.
Blogger Comment
Facebook Comment