Powered by Blogger.

Providing Internet access for your private network users (static source NAT)

How to configure static source address translation (or static SNAT) to allow users on a private internal network to connect to the Internet.
The NAT requirement is to translate the source address of packets from the private network. Packets from the private network have a private source address. For communication with an Internet site the private source address must be translated to a public source address so that response packets can be routed on the Internet.
Static source address translation (or static SNAT) is most often used to allow users on an internal network to connect to the Internet. Static SNAT translates the source addresses of all outgoing packets to the IP address of the external interface. To keep track of individual sessions, the FortiGate unit also translates the source port of all packets. This type of NAT is also called port address translation (PAT), network address and port translation (NAPT), IP masquerading, NAT overload, and many-to-one NAT.
1Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet.
Source Interface/Zone
Source Address
Destination Interface/Zone
Destination Address
2Select Enable NAT and Use Destination Interface Address.
3Select OK to save the security policy.
All packets accepted by this security policy have their source IP addresses translated from a private IP address on the network to the IP address of the wan1 interface ( As well, the source port is translated to a random source port. The destination IP address and destination port are not changed.
Test source NAT by browsing a website on the Internet from a device on the internal network. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 4
filters=[port 80]
7.863458 internal in -> syn 2322143869
7.872937 wan1 out -> syn 2322143869
7.873146 wan1 in -> syn 593799196 ack 2322143870
7.873325 internal out -> syn 593799196 ack 2322143870
The first output line shows a packet was received by the Internal interface with source address 192.168.110.
The second output line shows that when the packet exits the wan1 interface the source address is changed to
The third output line shows that when the response packet is received by the wan1 interface the destination address is still
The fourth output line shows that when the response packet exits the internal interface to return to the source, its destination address has changed to
Notice also in this example, the source port is translated from 3444 to 36344 and then back to 3444.
The source IP of all packets from any source IP is always translated to
Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.
    Blogger Comment
    Facebook Comment