Login
    Contents x
    FortiGate - Creating DNAT Rules
    • 25 Sep 2023
    • 2 Minutes to read
    • Print
    • Dark
      Light
    Contents

    FortiGate - Creating DNAT Rules

    • Updated on 25 Sep 2023
    • 2 Minutes to read
    • Print
    • Dark
      Light
    Article summary

    Important
    On your Firewall's primary IP address (the /31 assigned to your VDOM link interface), port 20443 is used for the HTTPS VDOM user interface. As such, if you NAT port 20443 you will lose access to the WebUI.
    Please make sure you don't NAT port 20443 on the primary IP.



    When creating a Destination NAT rule (DNAT), you first need to create a 'Virtual IP'. This is a mapping of public IP to private IP. 

    Virtual IP's can be in either 1 to 1 mapping (public to private), or 1 to Many (Port Forwarding) configurations. 

    In a port forwarding configuration, you can use a single public IP address to give access to multiple private IP addresses, on different ports. This saves you from having to purchase multiple IP addresses in many cases.


    Below is a simple example of 1:1 NAT:

    27.50.127.2 -> 192.160.0.2 

    In 1:1 NAT the firewall policy is used to only allow access to specific ports.


    Below is a simple example of port forwarding:

    27.50.123.2:3389 -> 192.168.0.2:3389

    27.50.123.2:3390 -> 192.168.0.100:3389

    27.50.123.2:3391 -> 192.168.0.250:3389


    Configuring Virtual IPs

    In this example, we have a public IP address of 27.50.123.2, which is part of one of our existing IP pools.

    We also have a server behind our firewall on a private IP address 192.168.0.2. 


    The goal of this example DNAT rule is to allow our users to connect Remote Desktop (RDP) on 192.168.0.2 via the public IP address 27.50.123.2 on a custom RDP port 29292.

    The final NAT rule will simply look like this:

    27.50.123.2:29292 -> 192.168.0.2:3389

    In other words, when a user enters "27.50.123.2:29292" into their RDP client, it will forward the connection to 192.168.0.2:3389, allowing the user to connect to the default RDP port (3389) on our server's private IP (192.168.0.2).


    To create a new virtual IP

    1. Navigate to 'Policy & Objects'
    2. Virtual IPs
    3. Click '+Create New'


    Configure the virtual IP

    1. Enter a name for your virtual IP (DNAT) policy. Make it as descriptive as possible so you can easily identify it later.
    2. Enter the external IP address. This is the IP which external/internet users will access.
    3. Enter the internal/private IP address which is the final destination of the traffic.
    4. If you're doing Port Forwarding (not 1:1 NAT)  tick port fowarding, and then choose the Protocol of the ports you wish to forward.
    5. Choose the port of the external IP address. In this example we're translating port 29292 to port 3389 so we want 29292 on the public/external side.
    6. Set the port which the service is listening on, on the private IP address. In this example we're trying to provide access to Remote Desktop (RDP) which listens on port 3389 by default.
    7. Click OK once you've completed the configuration.

    Once complete, proceed to Firewall Policy section to configure ALLOW rules!

    By default, all incoming traffic is denied, so you won't be able to access the services on the Virtual IP address until you create specific Firewall Policies for it!


    Click HERE to proceed to the Firewall Policy guide.


    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence