FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 9 - Firewall > Building firewall objects and policies > Example: Central NAT Table

Example: Central NAT table

The company has a server on the Development LAN that needs to communicate with a server at a remote site over the Internet. One of the restrictions on the communications between these systems is that the IP address and source port must be specific.

  • The traffic going out on to the Internet must be NATed
  • The traffic is coming from a server with the IP address
  • An address called “app-server” has been created for the address on the port1 interface
  • The external interface must be
  • An address called "app-server-ext" has been created for the address on the wan1 interface
  • The originating traffic from the server originates in the port range from 2000 to 3000
  • The remote site requires that the source TCP port must be within the 12000 to 13000 range

The original address and Translated Address fields require values that are address names that are listed in the address section of Firewall Objects.

  1. Go to Policy & Objects > Policy > Central NAT > Create New .
  2. Fill out the fields with the following information:
Source Address app-server
Translated Address app-server-ext
Original Source Port 2000
Translated Port 12000-13000
  1. Select OK.
  2. Enter the following CLI command:

config firewall central-nat

edit 0

set orig-addr app-server

set nat-ippool app-server-ext

set orig-port 2000

set nat-port 12000-13000



To verify that the table was added correctly:
  1. Go to Policy & Objects > Policy > Central NAT.
  2. Check that the table has been added to the list of Central NAT Tables and that the listed settings are correct.
  3. Enter the following CLI command:

config firewall central-nat

show full-configuration

  1. Verify that the listing of tables includes the one that you have just configured, with the correct settings.
When configuring the Central NAT in the GUI you may notice that only those addresses which have been configured to be associated with any interface are displayed in the drop down menu for choosing a Source Address and yet the CLI will allow any address to be used, not just those associated with any interface. This is because by default the policies in the GUI use a function of cross referencing which addresses are allowed based on which interface is involved in the policy. When combined with the aspect of Central NAT that doesn’t restrict to a specific interface. This means the only addresses will be allowed are those associated with the any interface. The CLI does not have this cross referencing function which is why the CLI seems less restrictive. However, more care must be taken when using the CLI to make sure that appropriate addresses are used.