Advanced NAT

For this post I'm gathering together the resources I read in regards to NAT on Fortinet Devices. I will update it further as I continue my studies


Network Address Translation (NAT) devices converts one set of IP's to another set of IP's. This is most commonly used to convert private IP addresses (as specified in RFC 1918) to public IP addresses that can be used on the internet and vice versa. NAT was originally outlined in RFC 1631, however the current RFC for NAT is RFC3022 (linked below).

The most common use of NAT can be found in home networks, where multiple private IP addresses are translated to a single public address - this is a process called Port Address Translation because different port numbers identify translations. These translations are most commonly completed dynamically but can also be statically set where required.

NAT has several forms:

  • Static NAT - This is when a private IP address is manually mapped to a public IP address. This is commonly used to expose services hosted within the network to external resources (i.e. a web server)
  • Dynamic NAT - As per the name, this is where private IPs are mapped to one or a range of IPs (usually public). This type of NAT has two subsets:
    • NAT Overload - AKA PAT - this is where multiple internal IPs are mapped to a single external IP address with sessions being assigned their own unique port number. Port numbers are a finite resource, in that each IP can only have 65,535 ports. This means that you are limited to that many sessions being represented by the one IP.
    • Overlapping NAT - This is when you translate a private IP for another private IP and is most commonly used in organizational mergers where the networks need to be combined, however they have overlapping IP ranges. This enables mergers and communication without the organizations having to readdress their networks from day one.


NAT on FortiGate

FortiGate firewalls support the following RFCs in regards to NAT

  • RFC 7857: Updates to Network Address Translation (NAT) Behavioral Requirements

  • RFC 6888: Common Requirements for Carrier-Grade NATs (CGNs)
  • RFC 6146: Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers

  • RFC 5508: NAT Behavioral Requirements for ICMP

  • RFC 5382: NAT Behavioral Requirements for TCP

  • RFC 4966: Reasons to Move the Network Address Translator - Protocol Translator (NAT-PT) to Historic Status
  • RFC 4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP
  • RFC 4380: Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)
  • RFC 3948: UDP Encapsulation of IPsec ESP Packets
  • RFC 3022: Traditional IP Network Address Translator (Traditional NAT)

Comments

Post a Comment

Popular posts from this blog

NSE8 Lab Study Resources - Narbik CCIE R&S v5.1 Foundations

Image
 Hey All, I have been working on putting together some scenarios for lab practice and I've found myself falling back on some of the study materials I used when preparing for the CCIE EI (yet to obtain, on the list after the NSE8). A legendary trainer in this area is Narbik Kocharians CCIE 12410 who is the president of Micronics Networking and Training - his CCIE prep courses and text books are considered almost required reading for any serious candidate for this certification. His text books work through hands on labs that are focused on specific topics to help cement the theory of the different topics in the exam.  His textbook CCIE Routing and Switching 5.1 Foundations: Bridging the Gap between CCNP and CCIE is well aimed at the skill level required of the NSE8 and fortunately there is actually quite a bit of overlap in its 1100 pages. The chapters within the textbook are: 1. Physical Topology 2. Physical and Logical Topologies 3. Spanning Tree Protocol 4. Point-to-Point Protocol
Read more

Journey to the NSE8 - Change in tactic

 I've previously been studying the Secure Wireless LAN content in order to pass the final exam required for my NSE6 (on the way to the NSE8). Going over the material again at the moment I'm noticing that my study sessions are becoming a bit of a blur and I'm not absorbing the content as well as I should be, and I can see this track of study becoming like quicksand if I don't give myself a break from it. The NSE6 fortunately covers a lot of technologies, including FortiAuthenticator and FortiADC which are both heavily featured on the NSE8 blueprint. So from here Im going to review the training for the FortiADC and have a crack at that exam to finish off my NSE6
Read more

Specifying a domain name suffix for DHCP clients on a FortiGate (FortiOS)

Image
Domain Name Suffix You can specify a domain name suffix in a DHCP address pool on the FortiGate DHCP server . With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For example a client can type in https://fortimanager in their web browser to access your fortimanager instance, instead of the FQDN of https://fortimanager.domain.local In FortiOS (current as of December 2022) this is configured via the CLI.   Configuration config system dhcp server     edit <#>          set domain <domain suffix>   In a full context this would be config system dhcp server     edit 1          set domain "lab.example.com"          set default-gateway 192.168.1.1          set netmask 255.255.255.0          set interface "port1"          config ip-range               edit 1                    set start-ip 192.168.1.100                    set end-ip 192.168.1.200               next         
Read more