| Description | This article describes the case when running a FortiGate unit in Transparent mode, you can configure firewall policies to translate the source or destination addresses of packets as they pass through the FortiGate unit. For more details about Transparent Mode see the Fortigate Transparent Mode Technical Guide FortiOS 4.0. |
| Scope | FortiOS v3.0 and v4.0. |
| Solution |
To use NAT firewall policies in NAT/Route mode, it is necessary to have two interfaces on two different networks with two different subnet addresses. The firewall policies translate source or destination addresses for packets as the FortiGate unit relays them from one interface to the other.
A FortiGate unit running in Transparent mode normally has only one IP address, the management IP. To support NAT in Transparent mode, it is possible to add a second management IP. These two management IPs must be on different subnets. FortiGate interfaces will respond to connections to both of these IP addresses.
In the following example, all of the PCs on the internal network (subnet address 192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of the management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results in a typical Transparent mode firewall. When a user on the internal network attempts to connect to the internet, the default route sends packets destined for the internet to the FortiGate unit's internal interface.
On the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default route of 10.1.1.99. This example describes adding an Internal WAN1 firewall policy to relay these packets from the Internal interface to the WAN1 interface to the Internet. Because the WAN1 interface does not have an IP address of its own, it is necessary to add an IP pool to the WAN1 interface that translates the outgoing packets' source addresses to an IP address on the network connected to the WAN1 interface.
The steps below describe adding an IP pool with a single IP address of 10.1.1.201. So all packets sent by a PC on the internal network that the Internal accepts to WAN1 policy leave the WAN1 interface with their source address translated to 10.1.1.201. These packets can now travel across the Internet to their destination.
Reply packets return to the WAN1 interface because they have a destination address of 10.1.1.201. The internal to WAN1 NAT policy translates the destination address of these return packets to the IP address of the originating PC and sends them out the internal interface to the originating PC.
Configure NAT in Transparent mode requires three steps:
Adding two management IPs. First, add two management IPs. The second management IP is the default gateway for the internal network.
config system settings Adding an IP pool to the wan1 interface.
Add an IP pool to the WAN1 interface:
config firewall ippool Adding an internal to wan1 firewall policy. Add an Internal to WAN1 firewall policy with NAT enabled that also includes an IP pool:
config firewall policy
Note: It is possible to add the firewall policy from the web-based manager and then use the CLI to enable NAT and add the IP Pool. |
