Home

How to Create Inbound and Outbound One-to-One Static NAT Rules in FortiGate

Setting up inbound and outbound one-to-one static NAT policies in a FortiGate firewall necessitates multiple steps.

Creating inbound and outbound one-to-one static NAT rules in a FortiGate firewall involves several steps. Below is a comprehensive guide that outlines the process step by step.

Step 1: Create a Virtual IP for Inbound NAT

  1. Access the FortiGate Interface:

    • Log into your FortiGate firewall management interface.
  2. Navigate to Virtual IPs:

    • Go to Policy & Objects > Virtual IPs.
  3. Create a New Virtual IP:

    • Click on Create New > Virtual IP (VIP).
    • Fill in the following fields:
      • Name: Enter a descriptive name for the VIP (e.g., WebServer_VIP).
      • Interface: Select the external WAN interface where the public IP is connected.
      • Type: Ensure it is set to Static NAT.
      • External IP Address/Range: Enter the public IP address you want to map.
      • Mapped IP Address/Range: Enter the internal private IP address of the server you want to expose.
      • Leave optional filters off unless specific port forwarding is required.
  4. Save the Configuration:

    • Click on OK to save your new Virtual IP configuration.

Step 2: Create an Inbound Policy

  1. Navigate to IPv4 Policy:

    • Go to Policy & Objects > IPv4 Policy.
  2. Create a New Policy or Edit Existing One:

    • Click on Create New, or right-click an existing policy and select “Insert Above/Below”.
  3. Configure Policy Settings:

    • Fill in these fields:
      • Name: Provide a descriptive name for this policy (e.g., Inbound_WebServer_Policy).
      • Incoming Interface: Select the external WAN interface.
      • Outgoing Interface: Select the internal LAN or DMZ interface where your server resides.
      • Source Address: Set this to Any or specify particular source addresses as needed.
      • Destination Address: Select the VIP created in Step 1.
      • Schedule, Service, and Action should be set as follows:
        • Schedule = Always
        • Service = All (or specify services if needed)
        • Action = ACCEPT
  4. Disable NAT Option for This Policy:

    • Ensure that NAT is turned OFF since static NAT is already being used with VIP.
  5. Enable Logging Options (Optional):

    • You can enable logging for allowed traffic if desired.
  6. Save Your Policy Configuration:

    • Click on OK to save your new inbound policy.

Step 3: Create Outbound Static NAT Rule

A. Create Addresses for Internal and External Devices

  1. Navigate to Addresses under Policy & Objects.
  2. Click on Create New > Address.
  3. For Internal Device:
    • Name it descriptively (e.g., Internal_Server_IP).
    • Type = Subnet, enter the internal device’s single IP address, and leave other settings as default.
  4. For External Device Pool:
    • Go to IP Pools under Policy & Objects.
    • Click on Create New > Dynamic IP Pool.
    • Name it descriptively (e.g., Outbound_NAT_Pool).
    • Type = One-to-One, enter one public IP address in both fields, and ensure ARP Reply is checked.

B. Create an Outbound Policy

  1. Navigate back to IPv4 Policy under Policy & Objects.

  2. Click on Create New or edit an existing policy as before.

  3. Configure this policy with these settings:

    • Name it descriptively (e.g., Outbound_NAT_Policy).
    • Incoming Interface = Any or select your internal VLAN interface.
    • Outgoing Interface = Any or select your external WAN interface.
    • Source Address = Select the internal hostname/IP created earlier.
    • Destination Address = Leave blank for all destinations.
  4. Set Schedule, Service, and Action as follows:

    • Schedule = Always
    • Service = All (or specify services if needed)
    • Action = ACCEPT
  5. Enable NAT by ensuring that it’s turned ON and select your dynamic pool from earlier.

  6. Save Your Outbound Policy Configuration by clicking OK.

Conclusion

By following these steps, you will have successfully configured inbound and outbound one-to-one static NAT rules on your FortiGate firewall, allowing external access to internal resources while controlling how outbound traffic appears externally.


Top 3 Authoritative Sources Used

  • Fortinet Documentation
  • Fortinet Knowledge Base
  • Fortinet Community Forum Posts

These sources provided detailed instructions and best practices for configuring static NAT rules within FortiGate firewalls, ensuring accuracy and reliability in the guidance offered above.