Fortigate NAT | What is DNAT and Port Forwarding | DAY 13 | Fortinet NSE4 Training

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Hello friends welcome to my Channel today is the day 13 for our four ticket firewall Series so in this video we are going to see how we can configure a destination net in fortigate firewall okay so in this video I am going to cover what is destination act why it is required what is static destination at and port forwarding even we are going to do the Practical for static destination Act and the port forwarding so I'll request you to please watch this video till the end so that you can understand what is destination at and how we are going to configure it how we are going to do a troubleshooting when we get this kind of scenarios okay and this will be helpful when you have to configure or your customer or your client is asking to configure as destination at or port forwarding because this is very frequent uh kind of a request that you guys will be getting in your organization so you should know this okay this is a basic kind of requirement because if you understand Nat how exactly the destination networks then only you will be able to configure the destination at or port forwarding okay and also I'll request you to please subscribe my channel and hit the Bell icon so that you never miss a video from me so without any further delay let's get started [Music] repeat so friends first of all we'll understand what is destination at why it is required and then we'll understand what is static Nat and what is port forwarding okay so first of all we'll understand what is the destination that so destination meaning over here is that destination IP should be netted right so in word scenario and why it is required we'll try and understand with the help of this diagram this diagram and this diagram okay so for an example let's say you are sitting in your home okay and this is your PC and let's say you have open 40gb.com okay for an example now the traffic went your Source will be the public IP because you are connected to Internet so your Source will be a public IP address destination will be the four ticket IP address right so for Ticket IP now the traffic reaches to the four ticket firewall okay now as you are going to hide your server from basically from outside world and you are assigning the IP address for the server is legit 1010 10.1.1.1 for an example okay so basically what you are doing you are giving a private IP address right but if somebody wants to reach on internet you have to give what public IP address right you have to give public IP address so let's say that this reaches to this public IP address and you done or not so what you are doing you are doing the NAT for your destination that is the reason it is called as destination map if you try to understand this scenario the source is public IP address the destination is also a public IP address but here the source remain the same because we are not changing anything on the source side right we are changing on the destination IP address right so basically what we are doing we are changing this destination IP from here to here why it is required because let's say you are sitting on internet okay sitting on internet meaning that you are having connection to internet basically and you are accessing some web server or any any other server on the internet and basically that IP address of the actual IP address of the web server is private okay and you are accessing a public IP address why it is so because you want to hide your IP address maybe some somebody wants to attack that public IP address your maybe your firewall might be compromised or it will fight against that particular uh threat or something like that okay but your web server will be preserved or it will not be impacted right so we will be changing the public IP address to the private IP address if you see this scenario you will be able to understand so we are not changing the source we are changing the destination right so this is how basically the destination Networks and if I talk about port forwarding port forwarding is nothing but it's a very simple one let's say somebody or let's say the Google server for an example this is a Google server so how we are accessing Google server on port number 443 which is nothing but https okay so let me rub this off and I will type 443 okay https right it is on port number 443 but I am running this web server on let's say 5000 or maybe six thousand port number so what I'm doing is I am translating this port number to different port number right to hide our Port vulnerability as well so let's say we have some vulnerability in HTTPS so somebody is attacking on port number 443 so I'll be changing that port number to some 6000 so that will not work exactly okay so uh what I'm doing I'm changing the port number as well so that is called as port forwarding for Destination okay so for an example if the PC is having a source IP address of let's say 200.1.1.1 and destination is let's say google.com 142.2.1.1 Okay reaches to your let's say firewall okay so what we are doing what we are changing on port number let's say four four three because the source port number will be random port number okay the destination port number will be 443 now it reaches 24 48 firewall okay now here the source will remain the same 200.1.1.1 okay now the destination will get changed to let's say 10.1.1.1 so what is changing the destination is changing right the source port number will remain the same right now destination destination port number will change from 443 to let's say 6 6000 port number so basically what we are changing the destination IP is changing the destination Port is changing so this is called as port forwarding we are translating the port number as well right so now friends we'll go to the Practical lab and we'll we'll see how we are going to configure the destination and and port forwarding for this okay so friends for today's practical we'll be taking this topology so I've already mentioned this will be Port 2 will be for inside Port 1 will be for management which will be connected to our local PC and will be accessing our four ticket firewall from this port and this will be outside and this will be our DMZ which where the server is connected okay from outside this is our external PC where from where we'll be testing the connection to our DMZ okay server and we'll be doing Nat over here okay so you just understand this whole is a public area where this PC is also connected and we will be taking one of the IP address for an example I might take 150 for the NAT okay so whenever somebody is wanted to connect they will be connected to this IP address and it will get redirected to the server okay we'll be doing the static Nat the static dnat as well as the port forwarding okay so we'll be performing both the both the practicals for in this lab okay so let's move on to uh the dashboard of vertigate so friends this is our dashboard for 40K firewall okay and we have already done the initial configuration which is configuring the IP addresses configuring the default route and all those things okay so now we'll move on to create and virtual IP this is two basically create the dnat okay so we'll be configuring a virtual IP and we will be giving a name so we'll give a name from external to DMZ okay so we'll just say so outside to PM set right uh now which interface that we need to select we have to select that particular interface so what we are doing is we will be selecting the interface now it is for Port 3 and we'll be selecting Port 3 okay now what is the external IP address that you want to do okay so external IP would be I just said from this range so we'll take 150 from this trend so 172 Dot 29.129.150 fine okay so this will be 1 1 5 0 and the IP address the mapped IP address so whenever somebody wants to access this IP address it will get natted to which IP so it should be a private IP address to check that private IP address will try to open and will try to see so IP interface brief okay so it should be 10.1.1.1 right so we'll just put that 10.1.1.1 okay and we are done so friends when you click on this basically you will be seeing that if somebody wants to access to 172 29 129.50 it will get translated to 10.1.2.1 okay now for this we have to create one policy that is ipv policy because we have to allow that particular connection right so we will be creating that okay so we'll just name it as outside right so DMZ hyphen act okay so what would be my incoming interface it will be port number three okay what would be my outgoing port number I guess it should be port number four right support number four now what would be my source because it is coming from external so we are not sure about the source so we'll just click OK like on and for the destination I need to select that virtual IP address okay so this is the only that thing that you need to select and after the services you have to select all that's all accept and we have to basically remove this Nat why we have to because this Nat is for Source not for Destination and for seeing all the logs we just enable the all sessions and we'll click ok so we will be able to this way we will be able to create the policy okay so friends now we'll be going to the test machine okay and we will be basically accessing This Server okay so we'll just configure the IP address and we'll see whether we have got the proper IP address or not so we'll go to the properties not properties report and we have got the the range IP address okay now we are going to access that particular IP address okay so what we are going to do is we will be accessing okay now the thing is uh if you want to access this IP address okay so where you want to reach 150 right so basically we'll be accessing the public IP address so HTTP okay this is the service that we have enabled not https okay 172 okay if it is not visible for you guys PPL in largest 172 29 129 150 okay now we are getting an access okay so we'll provide that particular access Cisco and we have provided now we can see that we we have already able to access the web server okay so which IP we are accessing we are accessing one public IP address but is it is getting translated now if you see that the IP address of the server it is 10.1.2.1 okay so we are accessing on 150 but it is getting translated to you so friends now we can see whether the policies the used or not so we can see that if you refresh it we will see that the bytes counts are getting increased it means that uh the connection is working right and also friends when we go to the router and if we go to so control plane host open ports okay so we'll try and try to initiate again the connection maybe I'll try that to a different browser 150 let's say okay let's say whether we have any connection okay so I guess I just need to log it out let's see whether we have got option to log this out maybe I'll close the browser and I'll try to open it again okay or maybe I'll try with some other ports as well okay not this one one seven fifty and we'll see whether we are getting any connection okay still we are not getting it I'll just try to open the putty one seven two twenty nine one twenty nine one five zero 80 and we'll try to open the tel light okay so now if we see here we are able to see that somebody is connected from 170 to 29 129 189 so if we try to see the IP address of this this is 129 so it is able to connect the HTTP why it was not showing here uh even I'm not much sure on that part because it's supposed to show all the connection but it is showing only the telnet connection what I have observed till now okay so what I'll do is I'll try to change the port number okay it is listening on port number 80 I'll try to change it to let's say 5000.6 on port number and the users will be connecting so we'll be doing port forwarding so user will be connecting on port number 80 but it is getting it will get translated to 6000 port number okay so I will try to change the port number here and we'll see whether it's working or not the port forwarding is working or not okay so friends basically because of some reason the sports are not getting change in Cisco router so what we are going what we have planned is like the user will be accessing on some port number for an example the user will be accessing on let's say let me change the color so the user will be accessing on port number 6000 and it will get redirected to port number 80. okay so basically uh we will be changing at the client side the port number okay so we'll instruct the client to access on port number 8 6000 and it'll get redirected to 80. okay let's see whether it's happening or not okay so very very simple the rules will be always be same so what we have to do is we will be opening this and we'll go to the port forwarding okay instead of this so external will be accessing so 6000 they will be accessing and it will get translated to port number 80 right and we just need to change this that's all okay now we'll go to the machine and we'll try to access it okay so what we are going to do is we'll try to access this uh 172 29 129 150. okay and we will go here and we'll see okay okay I guess we have not changed the port number so that is the reason it is not coming let me put this one again and port number 6000 on port number telnet right tell it open okay and we'll try to see here okay so exit and we'll see now if you see here the ports are listening on port number 80 and it is trying on this so here also the NAT is also happening if you take a look at so right before it was 35k 36k right now it is 45 KBS so rules are used and here also we can see it is getting connected from 189 which is nothing but this PC IP address so so basically we will be able to change uh let's say we we can do a port naming mapping for another PCS as well so what I'm trying to say is with only one single IP address so for an example 129 dot one five zero so let's say I can say that if you are accessing 150 on port number 6000. you get redirected to server one okay now when you are accessing on port number 6001 you will be directed to server 3 a server two same thing 6002 you might get redirected to server three so with single I single IP address single public IP address we with the help of Port mapping we can map to different different servers as well okay we can do in this way as well okay so whatever I showed you uh we can use it in two ways first is to secure first the security purpose let's say if I want to uh the user I are accessing on port number ready I'm on to change it to port number 6000. for a security reason or maybe with different different port number I want to do use different different servers we can also do that as well okay so you have to understand the scenario and you have to implement as per that okay so guys this is what I wanted to cover in this video if you want more video on the NAT please try to comment if the comment goes more than 20 then I can make a very detailed researched video on that particularly for for Ticket okay so this is what I wanted to cover thank you so much for watching and I wanted to say thank you for your all your support and yeah if you have any if you like this video please hit the on the like button if you have got any knowledge uh please do comment as well as if you have any suggestion uh you can send me an email a message on Instagram Facebook or you can even you can send me an email as well okay thank you so much and I'll see you in the next last but not the least don't forget to subscribe my channel and hit the Bell icon so that you never miss a video for me thank you

Info

Channel: Bikash's Tech

Views: 10,267

Rating: undefined out of 5

Keywords: fortinet, fortigate, fortinet how to, fortigate how to, firewall how to, firewalls, firewall, fortinet tutorial, fortigate tutorial, firewall tutorial, network engineer, network security, itsec, cybersecurity, cyber security, firewall configuration, fortinet setup, fortigate setup, firewall setup, Fortigate NAT, NAT, What is DNAT and Port Forwarding, Port Forwarding, Fortinet NSE4 Training, NSE4, DNAT, Destination NAT, bikash's tech, bikash tech

Id: TIjhvADgPus

Channel Id: undefined

Length: 20min 40sec (1240 seconds)

Published: Fri Mar 10 2023