Chapter 7 Firewall for FortiOS 5.0 : Building firewall objects and policies : Central NAT Table
  
Central NAT Table
The company has a server on the Development LAN that needs to communicate with a server at a remote site over the Internet. One of the restrictions on the communications between these systems is that the IP address and source port must be specific.
 
The traffic going out on to the Internet must be NATed
The traffic is coming from a server with the IP address 192.168.150.86
An address called “app-server” has been created for the address 192.168.150.86 on the port1 interface
The external interface must be 256.23.45.67
An address called "app-server-ext" has been created for the address 256.23.45.67 on the wan1 interface
The originating traffic from the server originates in the port range from 2000 to 3000
The remote site requires that the source TCP port must be within the 12000 to 13000 range
The original address and Translated Address fields require values that are address names that are listed in the address section of Firewall Objects.
Go to Policy > Policy > Central NAT Table.
Create a new NAT table
Fill out the fields with the following information:
Field
Value
Source Address
app-server
Translated Address
app-server-ext
Original Source Port
2000
Translated Port
12000-13000
Select OK
Enter the following CLI command:
config firewall central-nat
edit 0
set orig-addr app-server
set nat-ippool app-server-ext
set orig-port 2000
set nat-port 12000-13000
next
end
To verify that the table was added correctly:
Go to Policy > Policy> Central NAT Table
Check that the table has been added to the list of Central NAT Tables and that the listed settings are correct.
Enter the following CLI command:
config firewall central-nat
show full-configuration
Verify that the listing of tables includes the one that you have just configured, with the correct settings.
 
When configuring the Central NAT in the GUI you may notice that only those addresses which have been configured to be associated with any interface are displayed in the drop down menu for choosing a Source Address and yet the CLI will allow any address to be used, not just those associated with any interface. This is because by default the policies in the GUI use a function of cross referencing which addresses are allowed based on which interface is involved in the policy.When combined with the aspect of Central NAT that doesn’t restrict to a specific interface. This means the only addresses will be allowed are those associated with the any interface. The CLI does not have this cross referencing function which is why the CLI seems less restrictive. However, more care must be taken when using the CLI to make sure that appropriate addresses are used.