ICT Diary

Network(主にCisco系)、Server(RedHat系)、Program(適当)を気まぐれにUPしていく。

Fortigate NAT設定

Network

構成

トポロィ

(Internet)------[FW]---------------(PC)
|<------------->|  |<------------->|
      PPPoE              Local
   10.0.0.0/24       192.168.0.0/24

構成

  • Internet (CiscoRT)
  • PC (CiscoRT)
  • Fortigate
    • 機器情報
      • model: 60c
      • version:
    • I/F
      • wan2: PPPoE接続するWAN側I/F
      • internal1: PCを接続するLocal側のI/F
  • IP情報
    • WAN: 10.0.0.0/24
    • LAN: 192.168.0.0/24

前提設定

Internet (CiscoRT)

interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0

PC (CiscoRT)

interface GigabitEthernet0/0
 ip address 192.168.0.2 255.255.255.0

Fortigate

config system interface
    edit "wan2"
        set vdom "root"
        set ip 10.0.0.2 255.255.255.0
        set type physical
    next
    edit "internal1"
        set vdom "root"
        set ip 192.168.0.1 255.255.255.0
        set type physical
    next
end

config firewall address
    edit "AddrObj-SrcNAT-Src_192.168.0.0-24"
        set subnet 192.168.0.0/24
    next
end

Source NAT(NAPT)

全設定

config firewall policy
    edit 1
        set srcintf "internal1"
        set dstintf "wan2"
        set srcaddr "AddrObj-SrcNAT-Src_192.168.0.0-24"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

設定詳細

set nat enable: NATを有効化

Dynamic NAT

全設定

config firewall ippool
    edit "DynamicNATPool"
        set type overload
        set startip 10.0.0.10
        set endip 10.10.0.19
        set arp-reply enable
    next
end

config firewall policy
    edit 1
        set srcintf "internal1"
        set dstintf "wan2"
        set srcaddr "AddrObj-SrcNAT-Src_192.168.0.0-24"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set ippool enable
        set poolname "DynamicNATPool"
    next
end

設定詳細

# vip
set type (Type)             :変換タイプを指定
set startip (range-min)     :変換IP範囲(開始)
set endip (ip-max)          :変換IP範囲(終了)
set arp-reply enable        :ARPリプレイ有効

# policy
set nat enable              :NATを有効化
set ippool enable           :DynamicNatを有効
set poolname "(NAT-Pool)"   :作成したプールを指定

Port Forwarding NAT

全設定

config firewall vip
    edit "VipObj_FwdNAT"
        set extip 10.0.0.2
        set extintf "wan2"
        set portforward enable
        set mappedip "192.168.0.2"
        set extport 80
        set mappedport 80
    next
end


config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "internal1"
        set srcaddr "all"
        set dstaddr "VipObj_FwdNAT"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

設定詳細

### vip
set extip (ext-ip)          :外からの通信の受ける外部IP
set extintf "(ext-if)"      :外からの通信の受ける外部I/F
set portforward enable      :ポートフォワーディングを有効化
set mappedip "(map-ip)"     :受け取った通信の転送先内部IP
set extport (port-num)      :転送対象となる宛先ポート
set mappedport (port-num)   :受け取った通信を転送する際の宛先ポート

NATコマンド

NAT変換テーブルの確認

get system session list

セッションのクリア (デフォルトではすべてのセッション)

diagnose sys session clear