Greetings! Welcome to the fifth lesson of the course . On we figured out how security policies work. Now it's time to release local users to the Internet. To do this, in this lesson we will look at the operation of the NAT mechanism.
In addition to releasing users to the Internet, we will also look at the method of publishing internal services. Under the cut, a brief theory from the video is presented, as well as the video lesson itself.
NAT (Network Address Translation) technology is a mechanism for translating IP addresses of network packets. In terms of Fortinet, NAT is divided into two types: Source NAT and Destination NAT.
The names speak for themselves - when using Source NAT, the source address changes, when using Destination NAT, the destination address changes.
In addition, there are also several options for configuring NAT - Firewall Policy NAT and Central NAT.
When using the first option, Source and Destination NAT must be configured for each security policy. In this case, Source NAT uses either the IP address of the outgoing interface or a preconfigured IP Pool. Destination NAT uses a pre-configured object (called a VIP - Virtual IP) as the destination address.
When using Central NAT, the configuration of Source and Destination NAT is done for the entire device (or virtual domain) at once. In this case, the NAT settings apply to all policies, depending on the Source NAT and Destination NAT rules.
Source NAT rules are configured in the central Source NAT policy. Destination NAT is configured from the DNAT menu using IP addresses.
In this lesson, we will only consider Firewall Policy NAT - as practice shows, this configuration option is much more common than Central NAT.
As I already said, when configuring Firewall Policy Source NAT, there are two configuration options: replacing the IP address with the address of the outgoing interface, or with an IP address from a preconfigured pool of IP addresses. It looks something like the one shown in the figure below. Next, I will briefly talk about possible pools, but in practice, we will only consider the option with the outgoing interface address - in our layout, IP address pools are useless to us.
The IP pool defines one or more IP addresses that will be used as the source address during the session. These IP addresses will be used instead of the IP address of the outgoing interface of the FortiGate.
There are 4 types of IP pools that can be configured on FortiGate:
- Overload
- one-to-one
- fixed port range
- Port block allocation
Overload is the main IP pool. It converts IP addresses in a many-to-one or many-to-many scheme. Port translation is also used. Consider the circuit shown in the figure below. We have a package with Source and Destination fields defined. When it falls under a firewall policy that allows this packet access to the external network, a NAT rule is applied to it. As a result, in this packet, the Source field is replaced with one of the IP addresses specified in the IP pool.
A pool of type One to One also defines a set of external IP addresses. When a packet falls under a firewall policy with the NAT rule enabled, the IP address in the Source field changes to one of the addresses belonging to this pool. Replacement occurs according to the rule - "first come, first served." To make it clearer, let's look at an example.
A computer from the local network with an IP address of 192.168.1.25 sends a packet to the external network. It falls under the NAT rule, and the Source field is changed to the first IP address from the pool, in our case it is 83.235.123.5. It should be noted that when using this IP pool, port translation is not used. If after that a computer from the same local network, with an address, say, 192.168.1.35, sends a packet to the external network and also falls under this NAT rule, the IP address in the Source field of this packet will change to 83.235.123.6. If there are no more addresses left in the pool, subsequent connections will be rejected. That is, in this case, 4 computers can simultaneously fall under our NAT rule.
FIxed Port Range links internal and external ranges of IP addresses. Port forwarding is also disabled. This allows you to permanently associate the beginning or end of the pool of internal IP addresses with the beginning or end of the pool of external IP addresses. In the example below, the internal address pool 192.168.1.25 - 192.168.1.28 is mapped to the external address pool 83.235.123.5 - 83.235.125.8.
Port Block Allocation - this IP pool is used to allocate a block of ports for IP pool users. In addition to the IP pool itself, two parameters must also be specified here - the block size and the number of blocks allocated for each user.
Now consider Destination NAT technology. It is based on virtual IP addresses (VIPs). For packets that fall under the Destination NAT rules, the IP address in the Destination field is changed: usually the public Internet address is changed to the server's private address. Virtual IP addresses are used in firewall policies as the Destination field.
The standard type of virtual IP addresses is Static NAT. This is a one-to-one correspondence between external and internal addresses.
Instead of Static NAT, virtual addresses can be restricted by forwarding specific ports. For example, connections to an external address on port 8080 are associated with a connection to an internal IP address on port 80.
In the example below, the computer at 172.17.10.25 is trying to access 83.235.123.20 on port 80. This connection falls under the DNAT rule, so the destination IP address is changed to 10.10.10.10.
The video discusses the theory, as well as practical examples of configuring Source and Destination NAT.
In the next lessons, we will move on to ensuring the safety of users on the Internet. Specifically, in the next lesson, the functionality of web filtering and application control will be considered. In order not to miss it, stay tuned for updates on the following channels:
Source: habr.com