Category Archives: NAT

Optimized NAT46 Config on a FortiGate

Johannes published a basic NAT46 configuration for a Fortigate firewall with FortiOS 7.0 some time ago. I run such a service (legacy IPv4 access to IPv6-only resources) since FortiOS 5.6, which means more than six years; lastly with FortiOS 6.4. It’s running for more than 100 servers without any other problems as we see them with IPv4 only or dual stack services.

But we weren’t happy with the basic configuration example by Fortinet. We wanted some NAT46 sample configuration with more details, that is: including the original source IPv4 address within the synthesized/SNATted IPv6 address. More in this post, after a short story about my way to a running nat46 configuration with port forwarding in FortiOS 7.2.x.

Continue reading Optimized NAT46 Config on a FortiGate

Accessing IPv6-only Resources via Legacy IP: NAT46 on a FortiGate

In general, Network Address Translation (NAT) solves some problems but should be avoided wherever possible. It has nothing to do with security and is only a short-term solution on the way to IPv6. (Yes, I know, the last 20 years have proven that NAT is used everywhere every time. ?) This applies to all kinds of NATs for IPv4 (SNAT, DNAT, PAT) as well as for NPTv6 and NAT66.

However, there are two types of NATs that do not only change the network addresses but do a translation between the two Internet Protocols, that is IPv4 <-> IPv6 and vice versa. Let’s focus on NAT46 this time. In which situations is it used and why? Supplemented by a configuration guide for the FortiGates, a downloadable PCAP and Wireshark screenshots.

Continue reading Accessing IPv6-only Resources via Legacy IP: NAT46 on a FortiGate

FortiGate Virtual IPs without Reference

Migrating from Juniper ScreenOS firewalls to FortiGates, there are some differences to note with static NATs, i.e., Mapped IPs (MIPs) on a Netscreen and Virtual IPs (VIPs) on a FortiGate. While the Juniper MIPs on an interface are always used by the firewall whenever a packet traverses the interface, the virtual IP objects on a FortiGate must be used at least once in the security policy before they are really used by the firewall.

Continue reading FortiGate Virtual IPs without Reference

FortiGate Virtual IPs with Interface “Any”

On the FortiGate firewall, address objects and virtual IPs (VIPs) can be set up with an interface. For address objects this has no technical relevance – the address objects simply only appear on policies if the appropriate interface is selected. But for virtual IPs, this setting has relevance on how connections are NATed. This can be problematic.

Continue reading FortiGate Virtual IPs with Interface “Any”

Cisco Router: Disable DNS Rewrite ALG for Static NATs

I am using a Cisco router for my basic ISP connection with a NAT/PAT configuration that translates all client connections to the IPv4 address of the outside interface of the router. Furthermore,  I am translating all my static public IPv4 addresses to private ones through static NAT entries. I basically thought, that only the IPv4 addresses in the mere IPv4 packet header would be translated. However, this was not true since I immediately discovered that public DNS addresses are translated to my private IPv4 addresses, too. This was a bit confusing since I have not explicitly configured an application layer gateway (ALG) on that router.

“Google is my friend” and helped me one more time to find out the appropriate solution: The “no ip nat service alg udp dns” keyword to disable the DNS rewrite. (The synonym from Cisco for DNS rewrite is: DNS doctoring.) Here comes a basic example:

Continue reading Cisco Router: Disable DNS Rewrite ALG for Static NATs

Why NAT has nothing to do with Security!

During my job I am frequently discussing with people why they use NAT or why they believe that NAT adds any security to their networks, mainly some obscurity as NAT (PAT) hides the internal network structure. However, NAT does not add any real security to a network while it breaks almost any good concepts of a structured network design. To emphasize this thesis, here is a discussion:

Continue reading Why NAT has nothing to do with Security!