{"id":93,"date":"2022-04-03T16:14:42","date_gmt":"2022-04-03T20:14:42","guid":{"rendered":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/destination-nat\/"},"modified":"2023-08-29T17:39:02","modified_gmt":"2023-08-29T21:39:02","slug":"destination-nat","status":"publish","type":"chapter","link":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/destination-nat\/","title":{"raw":"3.2 Destination NAT","rendered":"3.2 Destination NAT"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Create a virtual IP address<\/li>\r\n \t
  • Create a Destination NAT<\/li>\r\n \t
  • Create a Port Forwarding<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n
    Scenario<\/strong>: We are going to enable Destination NAT (DNAT) and able to reach WordPress from WebTerm1. That means if someone from WebTerm1 opens the browser and types http:\/\/10.10.10.1 should be able to reach WordPress.<\/div>\r\n\r\n[caption id=\"attachment_76\" align=\"aligncenter\" width=\"1125\"]\"Destination Figure 3.8: Main scenario[\/caption]\r\n

    VIP (Virtual IP address)<\/h2>\r\nGo to Policy Objects<\/strong> > Virtual IPs<\/strong> and Create a new Virtual IP:\r\n
      \r\n \t
    • Name: outsideToDMZ<\/strong><\/li>\r\n \t
    • Interface: Port 4<\/strong><\/li>\r\n \t
    • External IP address: 10.10.10.1<\/strong><\/li>\r\n \t
    • Mapped IP address: 192.168.1.X <\/strong>(Find the local IP address of your WordPress)<\/li>\r\n \t
    • Enable Port Forwarding:\r\n
        \r\n \t
      • External Service Port: TCP 80\u00a0 <\/strong><\/li>\r\n \t
      • Map to Port: TCP 80<\/strong><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n[caption id=\"attachment_76\" align=\"aligncenter\" width=\"500\"]\"Configure Figure 3.9: Configure Virtual IP[\/caption]\r\n

        Create a Firewall Policy<\/h2>\r\nYou will create a new firewall policy to match a specific source, destination, service, and action set to Accept.\r\n
        \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
        Table 3.2: Firewall policy configuration<\/caption>\r\n
        Field<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
        Name<\/td>\r\nOutside-DMZ<\/td>\r\n<\/tr>\r\n
        Incoming Interface<\/td>\r\nPort 4<\/td>\r\n<\/tr>\r\n
        Outgoing Interface<\/td>\r\nPort 2<\/td>\r\n<\/tr>\r\n
        Source<\/td>\r\nAll<\/td>\r\n<\/tr>\r\n
        Destination<\/td>\r\nSelect your VIP Name (outsideToDMZ)<\/td>\r\n<\/tr>\r\n
        Schedule<\/td>\r\nAlways<\/td>\r\n<\/tr>\r\n
        Service<\/td>\r\nHTTP<\/td>\r\n<\/tr>\r\n
        Action<\/td>\r\nACCEPT<\/td>\r\n<\/tr>\r\n
        Log Violation Traffic<\/td>\r\n<enable><\/td>\r\n<\/tr>\r\n
        Enable this policy<\/td>\r\n<enable><\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\nClick OK<\/strong> to save the changes.\r\n\r\n[caption id=\"attachment_76\" align=\"aligncenter\" width=\"500\"]\"Set Figure 3.10: Set Firewall Policy[\/caption]\r\n\r\nTo confirm traffic matches, go to WebTerm1, open the browser and type http:\/\/10.10.10.1 in the browser. You should be able to reach WordPress.\r\n\r\n[caption id=\"attachment_76\" align=\"aligncenter\" width=\"500\"]\"You Figure 3.11: Verify configuration[\/caption]\r\n

        Port Forwarding<\/h2>\r\n[caption id=\"attachment_76\" align=\"aligncenter\" width=\"1125\"]\"main Figure 3.12: Main scenario[\/caption]\r\n
          \r\n \t
        1. Set the interface of Kali as a DHCP client and enable SSH in Kali. To enable SSH in Kali type Figure 3.13 command:\r\n\r\n[caption id=\"attachment_89\" align=\"aligncenter\" width=\"530\"]\"To Figure 3.13: Enable SSH service in Kali[\/caption]\r\n\r\n[caption id=\"attachment_89\" align=\"aligncenter\" width=\"758\"]\"Verify Figure 3.14: Verify you've received an IP address from DHCP[\/caption]<\/li>\r\n \t
        2. Repeat the previous steps we have done for DNAT and try to reach Kali from port 8080 (Port Forwarding: 8080 \u2192 22)\r\n\r\n[caption id=\"attachment_91\" align=\"aligncenter\" width=\"1094\"]\"Map Figure 3.15: Map External port 8080 to local port 22[\/caption]\r\n\r\n[caption id=\"attachment_91\" align=\"aligncenter\" width=\"843\"]\"Set Figure 3.16: Set Firewall Policy[\/caption]<\/li>\r\n \t
        3. Verify your connection from WebTerm (Hint:<\/strong> ssh user@10.10.10.1 -p 8080).\r\n\r\n[caption id=\"attachment_92\" align=\"aligncenter\" width=\"814\"]\"Verify Figure 3.17: Verify SSH connection[\/caption]<\/li>\r\n<\/ol>","rendered":"
          \n
          \n

          Learning Objectives<\/p>\n<\/header>\n

          \n
            \n
          • Create a virtual IP address<\/li>\n
          • Create a Destination NAT<\/li>\n
          • Create a Port Forwarding<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
            Scenario<\/strong>: We are going to enable Destination NAT (DNAT) and able to reach WordPress from WebTerm1. That means if someone from WebTerm1 opens the browser and types http:\/\/10.10.10.1 should be able to reach WordPress.<\/div>\n
            \"Destination
            Figure 3.8: Main scenario<\/figcaption><\/figure>\n

            VIP (Virtual IP address)<\/h2>\n

            Go to Policy Objects<\/strong> > Virtual IPs<\/strong> and Create a new Virtual IP:<\/p>\n

              \n
            • Name: outsideToDMZ<\/strong><\/li>\n
            • Interface: Port 4<\/strong><\/li>\n
            • External IP address: 10.10.10.1<\/strong><\/li>\n
            • Mapped IP address: 192.168.1.X <\/strong>(Find the local IP address of your WordPress)<\/li>\n
            • Enable Port Forwarding:\n
                \n
              • External Service Port: TCP 80\u00a0 <\/strong><\/li>\n
              • Map to Port: TCP 80<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                \"Configure
                Figure 3.9: Configure Virtual IP<\/figcaption><\/figure>\n

                Create a Firewall Policy<\/h2>\n

                You will create a new firewall policy to match a specific source, destination, service, and action set to Accept.<\/p>\n

                \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                Table 3.2: Firewall policy configuration<\/caption>\n
                Field<\/th>\nValue<\/th>\n<\/tr>\n
                Name<\/td>\nOutside-DMZ<\/td>\n<\/tr>\n
                Incoming Interface<\/td>\nPort 4<\/td>\n<\/tr>\n
                Outgoing Interface<\/td>\nPort 2<\/td>\n<\/tr>\n
                Source<\/td>\nAll<\/td>\n<\/tr>\n
                Destination<\/td>\nSelect your VIP Name (outsideToDMZ)<\/td>\n<\/tr>\n
                Schedule<\/td>\nAlways<\/td>\n<\/tr>\n
                Service<\/td>\nHTTP<\/td>\n<\/tr>\n
                Action<\/td>\nACCEPT<\/td>\n<\/tr>\n
                Log Violation Traffic<\/td>\n<enable><\/td>\n<\/tr>\n
                Enable this policy<\/td>\n<enable><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

                Click OK<\/strong> to save the changes.<\/p>\n

                \"Set
                Figure 3.10: Set Firewall Policy<\/figcaption><\/figure>\n

                To confirm traffic matches, go to WebTerm1, open the browser and type http:\/\/10.10.10.1 in the browser. You should be able to reach WordPress.<\/p>\n

                \"You
                Figure 3.11: Verify configuration<\/figcaption><\/figure>\n

                Port Forwarding<\/h2>\n
                \"main
                Figure 3.12: Main scenario<\/figcaption><\/figure>\n
                  \n
                1. Set the interface of Kali as a DHCP client and enable SSH in Kali. To enable SSH in Kali type Figure 3.13 command:
                  \n
                  \"To
                  Figure 3.13: Enable SSH service in Kali<\/figcaption><\/figure>\n
                  \"Verify
                  Figure 3.14: Verify you’ve received an IP address from DHCP<\/figcaption><\/figure>\n<\/li>\n
                2. Repeat the previous steps we have done for DNAT and try to reach Kali from port 8080 (Port Forwarding: 8080 \u2192 22)
                  \n
                  \"Map
                  Figure 3.15: Map External port 8080 to local port 22<\/figcaption><\/figure>\n
                  \"Set
                  Figure 3.16: Set Firewall Policy<\/figcaption><\/figure>\n<\/li>\n
                3. Verify your connection from WebTerm (Hint:<\/strong> ssh user@10.10.10.1 -p 8080).
                  \n
                  \"Verify
                  Figure 3.17: Verify SSH connection<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n","protected":false},"author":124,"menu_order":4,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-93","chapter","type-chapter","status-publish","hentry"],"part":75,"_links":{"self":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/users\/124"}],"version-history":[{"count":2,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/93\/revisions"}],"predecessor-version":[{"id":560,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/93\/revisions\/560"}],"part":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/parts\/75"}],"metadata":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/93\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/media?parent=93"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapter-type?post=93"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/contributor?post=93"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/license?post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}