Network Address Translation in FortiOS (Part 1)
Network Address Translation (NAT) is a fundamental concept when it comes to network security. In this two-part series, I will cover a general overview of the functionality and provide some details on the specifics in configuring this in FortiOS.
In its most basic definition, it’s when a gateway device (e.g. firewall, router, web application firewall, application delivery controller, etc.) changes the IP address of a device behind it as that packet is traversing it to get to a different network. This provides security since the actual IP address of the device behind the gateway device is hidden (therefore could not be accessed directly unless explicitly defined).
There are two general locations where NAT is applied:
- Source IP address (Source NAT)
- Destination IP address (Destination NAT/Virtual IP)
Source NAT is typically applied on outbound traffic (egress) on the security gateway device.
The actual IP address of the device behind the security gateway is hidden and in its place, changed to an IP address that lives on the security gateway so it was guaranteed to perform policy checks against that traffic before delivering it to the original host. Two varieties of this type of NAT are called overload (many-to-one) and one-to-one.
In the example above, when packet 1 is sent from the host that has IP address 192.168.1.100 it hits the security gateway. That same packet is transmitted from the security gateway to its destination, however the security gateway has performed substitution of the source IP from the original IP address to 184.108.40.206. A similar process occurs when traffic is originated from 192.168.1.200 (packet 2), since the security gateway is configured to only use one IP address for NAT.
Overload NAT allows a security gateway to take multiple hosts behind it and change their IP address to a single IP address (typically the IP address of the egress interface of the security gateway). This is useful especially in IPv4 networks where you cannot assign a publicly routable IP address of multiple clients that need Internet access.
The security gateway tracks the connections by the source port associated with the session. This allows the security device to use the same IP address for two different sessions and map that traffic back to the originating host.
In the example above, when the host with IP address 192.168.1.100 sends out packet 1 to its destination, it hits the gateway and using its configured NAT policy, performs a similar action as what was described in the overload section above. However, when host with IP address 192.168.1.200 sends out packet 2, the security device substitutes a different IP address that is different from the IP address it substituted for the host at 192.168.1.100. Due to this configuration, the security gateway device maintains a “private to public” mapping table that ensures each host corresponds to the same IP address as what is listed in the NAT table.
The one-to-one NAT allows a security gateway to assign a specific host behind it a single IP address (typically an unused IP address that is in the same subnet of the egress interface of the security gateway). This does not have a benefit of conserving IP addresses as the overload method, however it does provide security as the real IP address of the original host is not exposed.
Virtual IP/Destination NAT
Destination NAT is typically applied on inbound traffic (ingress) on the security gateway. This is commonly used when you need to expose a service/application from a device behind the security gateway but do not want to expose the IP address of the device. There are two general varieties when it comes to this type of NAT as well; one-to-one mapping and port forwarding.
In the example above, when the client on the Internet with source IP 100.100.1.100 on the Internet sends a packet to the security gateway at IP address 220.127.116.11, the security gateway consults its configured NAT policy. Upon reviewing the NAT policy, it substitutes the original destination of 18.104.22.168 to the mapped IP of 192.168.1.100 which is the actual host it is protecting.
This method is similar to the one-to-one method described in the source NAT section above. It is useful when the security gateway has unused IP addresses on its public facing interface and there is a need to expose a device behind the security gateway. In this method an external IP address is mapped to the original IP address of the device behind the security gateway. Whenever the security gateway receives a traffic directed towards this external IP address, it performs its policy checks, and forwards the corresponding traffic to the device.
In the example above, when the client on the Internet with source IP 100.100.1.100 sends packet 1 to the security gateway, it uses a specific destination IP address of 22.214.171.124 and destination port of 50443. When the security gateway receives that packet, it consults its NAT policy and based on that, substitutes the destination IP address of the host with 192.168.1.100 and modifies the destination port to 443.
When the same client from the Internet sends packet 2 to the security gateway destined to the same public IP address (126.96.36.199) but different destination port (51443), the security gateway consults its NAT policy and based on that, substitutes the destination IP address of the host with 192.168.1.200 and modifies the destination port to 443.
This method is similar to the one-to-one method with the addition of adding the destination port of the traffic as part of the NAT selection criteria. One of the main benefits of using this method is that it allows you to expose multiple devices behind the security gateway using IP address because the security gateway can examine the port and assign it to a specific device based on the NAT table. A real world use case is if you have multiple web-servers behind your firewall that you want to access from the Internet but you only have one public IP address available to use.
Since this does require the use of ports, this is primarily applicable to Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
This method typically cannot be used with protocols like Internet Control Message Protocol (ICMP) and Encapsulating Security Protocol (ESP) since these protocols do not use ports.
In a follow up post, I will dive into the details on how to configure these various methods of NAT in FortiOS. Please comment with your thoughts below.