Chapter 3. NAT

3.2 Destination NAT

Learning Objectives

  • Create a virtual IP address
  • Create a Destination NAT
  • Create a Port Forwarding
Scenario: We are going to enable Destination NAT (DNAT) and able to reach WordPress from WebTerm1. That means if someone from WebTerm1 opens the browser and types http://10.10.10.1 should be able to reach WordPress.
Destination NAT Main scenario
Figure 3.8: Main scenario

VIP (Virtual IP address)

Go to Policy Objects > Virtual IPs and Create a new Virtual IP:

  • Name: outsideToDMZ
  • Interface: Port 4
  • External IP address: 10.10.10.1
  • Mapped IP address: 192.168.1.X (Find the local IP address of your WordPress)
  • Enable Port Forwarding:
    • External Service Port: TCP 80 
    • Map to Port: TCP 80
Configure Virtual IP
Figure 3.9: Configure Virtual IP

Create a Firewall Policy

You will create a new firewall policy to match a specific source, destination, service, and action set to Accept.

Table 3.2: Firewall policy configuration
Field Value
Name Outside-DMZ
Incoming Interface Port 4
Outgoing Interface Port 2
Source All
Destination Select your VIP Name (outsideToDMZ)
Schedule Always
Service HTTP
Action ACCEPT
Log Violation Traffic <enable>
Enable this policy <enable>

Click OK to save the changes.

Set Firewall Policy
Figure 3.10: Set Firewall Policy

To confirm traffic matches, go to WebTerm1, open the browser and type http://10.10.10.1 in the browser. You should be able to reach WordPress.

You should be able to reach WordPress
Figure 3.11: Verify configuration

Port Forwarding

main scenario
Figure 3.12: Main scenario
  1. Set the interface of Kali as a DHCP client and enable SSH in Kali. To enable SSH in Kali type Figure 3.13 command:
    To enable SSH in Kali user service ssh start
    Figure 3.13: Enable SSH service in Kali
    Verify you've received an IP address from DHCP
    Figure 3.14: Verify you’ve received an IP address from DHCP
  2. Repeat the previous steps we have done for DNAT and try to reach Kali from port 8080 (Port Forwarding: 8080 → 22)
    Map External port 8080 to local port 22
    Figure 3.15: Map External port 8080 to local port 22
    Set Firewall Policy
    Figure 3.16: Set Firewall Policy
  3. Verify your connection from WebTerm (Hint: ssh user@10.10.10.1 -p 8080).
    Verify SSH connection
    Figure 3.17: Verify SSH connection

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book