Chapter 2 Advanced Routing for FortiOS 5.0 : Advanced Static Routing : Routing concepts : Static routing security : Network Address Translation (NAT)
  
Network Address Translation (NAT)
Network address translation (NAT) is a method of changing the address traffic appears to originate from. This practice is used to hide the IP address on company’s internal networks, and helps prevent malicious attacks that use those specific addresses.
This is accomplished by the router connected to that local network changing all the IP addresses to its externally connected IP address before sending the traffic out to the other networks, such as the Internet. Incoming traffic uses the established sessions to determine which traffic goes to which internal IP address. This also has the benefit of requiring only the router to be very secure against external attacks, instead of the whole internal network as would be the case without NAT. Securing one computer is much cheaper and easier to maintain.
Configuring NAT on your FortiGate unit includes the following steps.
1. Configure your internal network. For example use the 10.11.101.0 subnet.
2. Connect your internal subnet to an interface on your FortiGate unit. For example use port1.
3. Connect your external connection, for example an ISP gateway of 172.20.120.2, to another interface on your Fortigate unit, for example port2.
4. Configure security policies to allow traffic between port1 and port2 on your FortiGate unit, ensuring that the NAT feature is enabled.
The above steps show that traffic from your internal network will originate on the 10.11.101.0 subnet and pass on to the 172.20.120.0 network. The FortiGate unit moves the traffic to the proper subnet. In doing that, the traffic appears to originate from the FortiGate unit interface on that subnet — it does not appear to originate from where it actually came from.
NAT “hides” the internal network from the external network. This provides security through obscurity. If a hacker tries to directly access your network, they will find the Fortigate unit, but will not know about your internal network. The hacker would have to get past the security-hardened FortiGate unit to gain access to your internal network. NAT will not prevent hacking attempts that piggy back on valid connections between the internal network and the outside world. However other UTM security measures can deal with these attempts.
Another security aspect of NAT is that many programs and services have problems with NAT. Consider if someone on the Internet tries to initiate a chat with someone on the internal network. The outsider only can access the FortiGate unit’s external interface unless the security policy allows the traffic through to the internal network. If allowed in, the proper internal user would respond to the chat. However if its not allowed, the request to chat will be refused or time-out. This is accomplished in the security policy by allowing or denying different protocols.