How to Create Inbound and Outbound One-to-One Static NAT Rules in FortiGate
Setting up inbound and outbound one-to-one static NAT policies in a FortiGate firewall necessitates multiple steps.
Creating inbound and outbound one-to-one static NAT rules in a FortiGate firewall involves several steps. Below is a comprehensive guide that outlines the process step by step.
Step 1: Create a Virtual IP for Inbound NAT
-
Access the FortiGate Interface:
- Log into your FortiGate firewall management interface.
-
Navigate to Virtual IPs:
- Go to Policy & Objects > Virtual IPs.
-
Create a New Virtual IP:
- Click on Create New > Virtual IP (VIP).
- Fill in the following fields:
- Name: Enter a descriptive name for the VIP (e.g.,
WebServer_VIP
). - Interface: Select the external WAN interface where the public IP is connected.
- Type: Ensure it is set to Static NAT.
- External IP Address/Range: Enter the public IP address you want to map.
- Mapped IP Address/Range: Enter the internal private IP address of the server you want to expose.
- Leave optional filters off unless specific port forwarding is required.
- Name: Enter a descriptive name for the VIP (e.g.,
-
Save the Configuration:
- Click on OK to save your new Virtual IP configuration.
Step 2: Create an Inbound Policy
-
Navigate to IPv4 Policy:
- Go to Policy & Objects > IPv4 Policy.
-
Create a New Policy or Edit Existing One:
- Click on Create New, or right-click an existing policy and select “Insert Above/Below”.
-
Configure Policy Settings:
- Fill in these fields:
- Name: Provide a descriptive name for this policy (e.g.,
Inbound_WebServer_Policy
). - Incoming Interface: Select the external WAN interface.
- Outgoing Interface: Select the internal LAN or DMZ interface where your server resides.
- Source Address: Set this to
Any
or specify particular source addresses as needed. - Destination Address: Select the VIP created in Step 1.
- Schedule, Service, and Action should be set as follows:
- Schedule = Always
- Service = All (or specify services if needed)
- Action = ACCEPT
- Name: Provide a descriptive name for this policy (e.g.,
- Fill in these fields:
-
Disable NAT Option for This Policy:
- Ensure that NAT is turned OFF since static NAT is already being used with VIP.
-
Enable Logging Options (Optional):
- You can enable logging for allowed traffic if desired.
-
Save Your Policy Configuration:
- Click on OK to save your new inbound policy.
Step 3: Create Outbound Static NAT Rule
A. Create Addresses for Internal and External Devices
- Navigate to Addresses under Policy & Objects.
- Click on Create New > Address.
- For Internal Device:
- Name it descriptively (e.g.,
Internal_Server_IP
). - Type = Subnet, enter the internal device’s single IP address, and leave other settings as default.
- Name it descriptively (e.g.,
- For External Device Pool:
- Go to IP Pools under Policy & Objects.
- Click on Create New > Dynamic IP Pool.
- Name it descriptively (e.g.,
Outbound_NAT_Pool
). - Type = One-to-One, enter one public IP address in both fields, and ensure ARP Reply is checked.
B. Create an Outbound Policy
-
Navigate back to IPv4 Policy under Policy & Objects.
-
Click on Create New or edit an existing policy as before.
-
Configure this policy with these settings:
- Name it descriptively (e.g.,
Outbound_NAT_Policy
). - Incoming Interface = Any or select your internal VLAN interface.
- Outgoing Interface = Any or select your external WAN interface.
- Source Address = Select the internal hostname/IP created earlier.
- Destination Address = Leave blank for all destinations.
- Name it descriptively (e.g.,
-
Set Schedule, Service, and Action as follows:
- Schedule = Always
- Service = All (or specify services if needed)
- Action = ACCEPT
-
Enable NAT by ensuring that it’s turned ON and select your dynamic pool from earlier.
-
Save Your Outbound Policy Configuration by clicking OK.
Conclusion
By following these steps, you will have successfully configured inbound and outbound one-to-one static NAT rules on your FortiGate firewall, allowing external access to internal resources while controlling how outbound traffic appears externally.
Top 3 Authoritative Sources Used
- Fortinet Documentation
- Fortinet Knowledge Base
- Fortinet Community Forum Posts
These sources provided detailed instructions and best practices for configuring static NAT rules within FortiGate firewalls, ensuring accuracy and reliability in the guidance offered above.