NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 14

55. Lecture-55:Destination NAT, Virtual IP in Security Policy.

Another topic is destination network address translation in shortcut we call it Dnet means destination net. So basically what happened in destination net? In destination net, your destination IP changed and your destination port changed. So in this scenario we call them destination net and where we are using when somebody from outside in real world and they want to access any server which is inside your infra, maybe it will be in your DLZ or it can be in your inside and they want to access that server.

So for that purpose we have to create destination net rather than to create a source net. Because somebody will come from public network to access your server and the server has a private IP is assigned which is you are using inside your info, maybe you are using 192, 168, maybe you tensomething and maybe 172 dot something which is not accessible directly from outside. And either you have to assign public IP directly to the server and you have to expose your server directly, which is not a good practice.

So what we do, we create a destination net from outside the people will hit my outside interface of firewall my public IP which is exposed to the outside world and when they head my source they are thinking this is the server. Suppose this is a web server so the outside people will think that this is a web server IP which is not in reality so when they hit this server so firewall will change the destination what was the destination? That’s the source IP. Somebody from outside. They hit this IP which is 11140. They will change the destination. Look at you are run.

Basically, I’m doing translation. I will change the destination IP to the actual IP of a private IP. That’s why we call them a destination net in this scenario. Now the destination is changing. So we call them a destination net in simple one. So let’s go to the lab and destination lab. We will follow the same lab which we configure for source net. But in source net we were going from inside to here. That’s why our source was changing. 11213 was? Changing to this IP outside IP either pull up IP either port and whatever we done so many way but this time the scenario has changed somebody from Internet they will access our web server and they will access our some other server so now it’s opposite direction.

So in opposite direction now they don’t know about my private IP which is one four let me go to the actual one this one so PC three don’t know about anything about my local IP which is one four either one three this one the server so what they will do? They will hit the firewall IP 11140 a public IP of firewall then I will configure a destination that if somebody hit you on your public IP one one 4100 for 80 port give it to this guy I will map them. Then I will say if somebody hit you on one one four dot 100 on 23 port, give it to this guy. If somebody hit you on one 1422 port, give it to the same this guy and so on. For every services you have to create a destination name. If you have a one server and working for everything, then you can say any port. If somebody hit you on any port, give it to this guy. But parallelly I will create one rule that if anybody coming from outside hitting our inside allowed it. So I need two things then this PC will be reachable here. If I check from here right now, it will be not accessible. Because it’s not a make a sense.

If this is my web server, which is 1921-6813, it’s not possible. How I can access a private IP directly from external services? Private IPS are even not allowed on internet. So I’m not reachable. Okay, maybe I will think that I will hit 11140, still I will be not accessible because web is allowed. So the firewall is open. So don’t worry about that. Because outside interface I’m using for web as well. So that’s why it’s open this one. But ignore it like you think it will be not accessible. And if I do ten net as well, it will not work. Let me do a ten net from here as well. Nothing will work because there is no rule in either something is configured. Okay? So if I try to access telnet 109 216814 inlet is not working telnet because I am not reachable there. And also even if I hit the 1100, still it’s not reachable and public IP because there is no such allowed. Maybe you are thinking the telnet is not configured here. Let me configure telnet in R one as well quickly. Suppose if it is not I think to be last time we had done it. But anyway show IP interface brief IP is there. Line VTY zero to four. Transport input all and password one, two, three and login. Telenet is enable now. That’s it. Enable password. One, two, three. Do right? Still it’s not possible. Neither on the public IP, neither on private IP. So what I need? I need two things policy to allow in destination net. How I can do? So let me go to firewall admin. One, two, three. Remind me later. Now I need to create a destination net for this purpose. But again, destination net can be with central net and it can be without central net. If it is with through central net, then there will be this one like a destination net and virtual IP it will show like this.

So let me do without central net. So what I need to do, I need to go to settle system setting and let me disable central net. Okay, let me check if the central net is yet there or not yet. So it’s removed now. So look at a change to virtual IPS. Virtual IP is nothing but a destination net. So let’s create a destination net how we can configure go to policy and object go to virtual IPS. Nothing is configured just like a name detail, interface services and reference just we use anywhere like the same thing. So they say virtual IP and virtual IP with group you can create a group as well as virtual IP. I say right now I need one virtual IP. So what name you want to give? I say suppose web server viv either destination net for this one. For this web server I’m creating comment change any color you want to give. Suppose any color of this icon to create interface from where it will come. So I say probably from when you can say any as well if you don’t know an external IP range and mapped IP address. So external I say it will be 109 21681 114 is my external interface IP and can be range as well map them to my local IP which is 109 216-8131 so I will save 1921-6813 they say optional filter.

Do you want to apply any? Like a source address should be this one either you want or services. So I say service is a good idea. This will be Http only or maybe Https even though I have only Http here but anyway let me make them Http. So I say yes only for Http traffic will come which is 80 port and do you want to do any specific port to change? I say no, it’s okay. So my destination net is ready whenever somebody hit one 1400 my public IP outside public IP for eight report it will be redirect to one three and this concept we call them destination net and okay done. But I need a policy from outside to in the policy which I have right now, this is from lane to lane so I need to allow the traffic as well. So here I will say if somebody from when coming to lane from when now I’m creating opposite policy lane the source can you can specify if somebody specific is coming destination you can create an address group for the same server this 119-2168 which we will create a bit later.

Anyway right now I will say all any time you can put restriction and services you can put restriction either you can say Http which is already there as well and action is allowed. Estimation was this one and net I don’t need net because I disable central net so this one is coming here again and I will say all session n okay because if I allowed Nate here it will be a double net so I need a destination net.

Okay so now let’s go to that system and there will be a small issue, I need to test another services because Http is used by this one as well. So I don’t think so they will. I need to test telenet and something or for test purpose what I can do? Let me go to network interface. I just realized there is one small issue. Because I’m using when for my own purposes will Http. So if somebody hit on this one, so it will show this one. So I need to remove for a while, but then how I will log in then this is an issue.

So let me enable them on my end side. For this purpose I need to create another service. Anyway, I just created so let me enable Https that’s it and remove from outside. Okay. So I will be disconnected. What to do? I need to test another services. So let’s go back to I know it will not work, simple as that. If somebody hit it will be near not redirected. Because Http is enabled on this server on when which is not to be enabled on real world it’s not possible because I’m taking management here. So let’s take a telenet. Because we enable telnet here. So let me show you from another services. Let’s go back to policy and object workflow IPS and change the rule which I created as a web. Make them as a ten net. Just give them any name. I change the IP my TenneT is in four. And let me make them four. And change this one to telnet. Okay. And remove Http and go to IP four policy and tell them that somebody from where to land when they are coming from services. You can put all as well, because you already put their destination net. But anyway you can put telnet here as well to more specific and okay, that’s it. Now let’s try again. Before a telnet was not accessible I think. So we try from here. Now let’s see if I hit the public IP of firewall, it will direct to the router.

Let’s see, I say one 1400. So we configure a destination net if somebody hit on one, one 1400 for ten. So redirect them to the R one. So I just need to check in R eleven thing. That route is there or not? If it is not there, then it will not go back to fuel P route. Your static route is there. So it has to work in who command to see someone who is logging here. So not yet anybody is coming here. So let’s wait for a while sometime. It’s daytime, but it has to be okay, let’s see if I can see the traffic either. I can see one more thing. Maybe I enable ten net and outside interface as well. So I hope so there is no ten net. Okay, ping is allowed in SSH even no need of SSH as well. Otherwise it will go to this one. Okay. By the way, it has to work directly either. We can check for FTP services as well. These two services unfortunately interface also enable, so that’s why but anyway, let’s see one one four dot 100 and of how we can verify if we go to log and report forwarding traffic. From forwarding traffic what you can do? Enable destination net. There will be something. Destination net? Yeah, this destination net IP and destination port. These two things we require to see so it will be enabled here. Okay, so let them bring here to the source place so that we can check them properly.

Leave it here. It’s not dragging properly. So our source is okay. Let’s refresh if something is coming here or not the traffic. So no destination is yet. So it means the services we are trying either is allowed. How we can verify if I go to console admin one, two, three configure system interface which port edit port number one and set allow access. Allow access. TenneT may be there. We can see show. So we have ping loud https http okay, so it’s not allowed. It was just to confirm. Sometimes it’s not showing there and graphically telling it, but it is allowed here. So if it is allowed, it will telnet to this IP rather than to forward them. So that’s why I was just to check out. So it’s not working. What we can do? Let’s test another server, otherwise then we have done some mistake. So let’s go back to policy and object IP four and let’s verify first that my policy is created properly from when to lane and let’s do it all as well. It’s not an issue and should follow no need. By the way, net okay. And everything is okay here in the policy nothing is wrong. And now let’s go to virtual IP and double check the rule. So from outside there’s the IP. Okay. And at one four is my R one IP or not? One four is correct and the service is only ten net. Okay. So it means everything is correct.

But the only thing is so what we need to do? Let’s test FTP. This server is FTP as well. So if it is not working, then the issue is something else. So how we can do? Go to virtual IP and create a new virtual IP. This time FTP server suppose anything it’s coming from when. And external IP is 109 21681 1140 and my FTP server is this one three. What is the IP? 109 216813. Okay. And services is FTP. So let me choose FTP. We can test from here. I would say FTP and 109 21681 114. So if FTP is prompt so it means there is some other issue, we need to fix it. If it is not, then we have to troubleshoot what is the issue. So I will head the public IP which is one one 4100 p. But we configure a destination net so it will forward the traffic to there. So it’s not coming at me. I’m doing something wrong. Let me go quickly. Maybe I missed something. So let’s quickly everything is configured as we created one four. Okay, so this one was with central net. So I’m doing this without central net. So by the way, it has to work. No, basically I’m doing without central net. So maybe one thing more I need to allow net. Let’s see, something is wrong, which I cannot see. What I done wrong went the policy went to land everything. I know it’s not need this one, but okay, first let me check. Maybe I’m not reachable here. Spring 109, 216811, 400 AI some reachable there. Let’s see and check the logs here. This policy when to land is hitting or not. So let me refresh. So it’s not hitting. Let me make this policy on the top.

Let me put this one down. Okay, so let me move them up. I just want to see, maybe create a new one. So my traffic is not hitting for some reason. Here the policy at least. Okay, so I don’t know what I done wrong. I need just to check one thing. Virtual IP internet is there and FTP is there. Okay, let me change to something else like 200. It doesn’t to be anything. It can be anything. And FTP. Let me check by any other IP and let’s see FTP this time with 200 you can give any public range IP. I was just checking by interface IP. Now I give them another IP to test them. And I give them this. IP 200 to FTP. Okay, so still I’m not reachable here. Okay, so let’s enable from here central net and check it is giving error in both either. Okay, sorry. Yes, I remember. I done one mistake. If we go to policy, I did not attach this one. So this is my way to lend policy what I need to do. The source can be anything. And destination is this one FTP server. I don’t know why I forgot this small thing. So if I OK and now let’s see if I 200, it can be same. Now the default username is root and password is JNS three. So it will be accessible now. And okay, I put a wrong username and password. So let me do it again.

Sorry, 200 because I’m using 200 and let me attach username is root and password is GNS three. So FTP service is now accessible. And you will see the traffic is hit by this scroll as well. Now you will see them here. Look at say 1114. The only thing was I was doing a small mistake. You can say a blender in destination. You have to mention in the policy, which you created. Like, I created Telnet and I created you can now put telnet as well, both in the same policy. And either you can create a separate policy. So now I can do telnet as well. So if I do telnet so telnet is 400 and FTP is on 200. Now I will do telnet TenneT is one, two three and if I go to R one and if I check here, who it will say that 192-168-1142 is logged into this system. And yes, this is this. If I say exit and if I say if config. So yes, 11 14 20 has been logged in, but the destination has changed. He is hitting the one one four. And when they hit the where is this one then is translate them to telnet one four. How we can verify. So go to log and report and forwarding traffic. And here you will see the destination net. Now look at now there’s somebody 23 port hit. We translate them to one four. But does it he hit one four? No, he hit one 1400. That’s why it’s been destination exchange. So it’s called destination net.

And the other is FTP, which is showing 21 port. So it’s been translated to one three. And the second command, which we used last time as well. If you go to admin one two three okay. And get systems sorry, what was the command to check the detail? Get system forgot the command. Skip from my normal get system session list. Sorry. Get system session list. If I check now you will see a destination net. Look it. Now let me do ten net again, so you can see TenneT again as well. If I go to TenneT and now you will see here. This is 21 FTP. Look at now 21 and 23. But written destination net that somebody had this IP will translate them to one four. Somebody hit 1114 200, but we changed them to one three. You got the idea? So this is destination net without central net. So without central net what is the difference? The difference is you have to call your object inside here. Where I call them? I call them here. Let me show you again, which I forgot. This one. You know this one? Virtual IP and server. It’s mentioned virtual IP and server. So this is my virtual IP searcher IP. Nothing but destination net. So TenneT, server and FTB and so on. You can create for every services. But when I enable central net you will see these two will disappear. It will be not showing here, because now we will UDA central net. So this is the main difference. I will show you the next one. So let me save this one separately.

56. Lecture-56:Destination NAT, Virtual IP with Central SNAT.

Destination net but this time using central net. So destination net is nothing but to win the destination IP chain. So we call them destination net. In other words, we call them virtual IP addresses as well. Virtual IP. So when you have a server in your data center inside either in DMZ and some want to access from outside so they will hit the public IP. It can be your interface IP and it can be any range IP so far wall will translate them to private IP. So that’s why we call them destination net. So we done last time. So virtual IPS was showing here and we call the object inside the policy the virtual IP which we create here and it will show you the references where they have been used. But when I enable central net so then the thing will be changed. How? Let’s see now I say central net and apply. Okay? So let me see central net is apply it’s not because I need to verify sometime it will say nothing. So the best solution is go to config system setting system settings and here set central net and enable. Let me give you an error that you are using virtual IPN is true. We are using virtual IPS. So let me go back and remove those rules from there. This one, let me delete this one as well.

And no need of N as well because we are using this one. And let me go back now let’s try again. This time it says nothing and any supply and central net is enabled. This time if I go back to central net is enable screen and it will show in policy as well. It will show. So let me refresh. Okay? And let me go to policy in object. Central net is there now. But virtual IP which was without central net is name was virtual IP. Now it’s a destination net and virtual IP now how I can create again? I’m not able to external. I cannot do neither. I can do FTP from outside because things are changed now. So what I need to do first I need to go to destination and workflow IP which we create last time. So it still exists. So it’s okay. If it still exists, we will re utilize them. This is the name from when it will come. External IP is one one it will hit and it will be translated to one four which is a telnet server but nothing our router. And we have another virtual IPV configure for destination net which is head by 200. It will be translated, it can be 100 as well. And it is for FTP. So what is the difference? It’s already there.

And let me create a policy. Last time the issue was when somebody coming from Wayne to Len. Okay, so what we done? If somebody is coming from when coming to land sources, anything destination we put our virtual IP as it exists here not anymore which I did not mistake a last lecture as well, you see? No, you remember we select from here FTP which is not showing here anymore so let me select all if it is not showing, I don’t know what to do. So service is all it says central net is enabled, no need anything to do here. We know this one in all session. So what I need to do, I need to go to central net and I need to create a central net. Let me remove this one. It’s the old one. Which we create for source. I need to create a net rule the traffic is this time coming from when it will come to land source addresses all it can be anyone and destination can be anyone and they have to use outgoing interface either. No need of anything. I just say this enough for me but do you think I call anywhere? Anywhere?

This virtual IP no s reference is zero zero let’s try them as working or not so let me do a telnet so let me do telnet 1114 is working and let me do FTP it will ask the username and password and it will work. Yeah root GNF three yes, I can access this server FTP. How I know is let me go to user logs in report forward in traffic last time we verified from here let’s go to destination. Yes, destination net is working one three has been hit and also one four has been hit. It will show here one three and one four and let me verify from here as well. Last time we check from gate system session list so yes there is that one four and one three this is not the old one because it’s expire after a while so 102 hundred but we never call these object anywhere. And that’s why I done last time the wrong thing. I thought we don’t need to call in that one, but in that thing you have to call them. Whereas let me go to policy and object. My destination and virtual IPS are not used anywhere. It’s not referenced to anywhere but again it’s working. This is the beauty of central net, it will care about it. So when the traffic is coming from when to land from any source to any destination it will check is that yes there is a services to access them. Because if I try to access with the 200 http so http one 4200 is not working even though policy is there and net is also there but destination our destination IPS and virtual IP is not there.

If I create, then it will start work automatically. Let’s create them for web server. Web server? Anything with SRV give them any icon, whatever you want. Interface is when in this time I say 192 168 two sorry 1114 200 if somebody hit 2200 for web services, give it to one three which is our web server 109 216813, for which filter I say for service is only Http and okay, and now if I try look at now it will come up. I hope so, http locate has come up because this is our this web server and how I know logs and report go to forwarding traffic. There will be 80 port now as well. Look at 80 port which is hit by 80 and also FTP port with one three. Just create virtual IP net will start work automatically. But if your central net is enabled, if your central net is not enable, then you have to call your virtual IP in every policy which you want to allow, which I’ve done a mistake, I’m repeating that thing. But in a central net you don’t need to do anything central net would care about it will check that. Yes, the policy is there. It hitting from Wayne to lane.

Yes. Let me verify from top to bottom is there any services allowed and it’s working. And we verify from two places. You can verify from here as well. Now see, there is a 23, there is a 21 and there is 80 port as well. And if you want you can create per Https as well. Let’s make this router as a Http server. We know we can create IP secure server. So let me make this as a Https, an Iphtp authentication local. And let me create one user username admin with privilege 15 and password one, two, three. Now my R four, sorry, R one which is do show IP interface brief which is with one four IP, I make them as an Https server. So do you think somebody can access F head? This one Https. No, surrounding is not prompting until I create their new virtual server. NR one is an Https SRV anything from when IPS 109, 21681, 114. You can give us separate IP. What? It my router IPS 192, 168, one four with services Https. This time Https and Https is nothing but four, four, three and okay, now it will come up because it’s still moving. So R one has to be open. Not this one, this was Http. So let’s go back.

Https is allowed here. Now it’s come up here. Your connection is not secure. It’s okay, advanced and I will say add and confirm security. So username I create and router edmund, we just created this one admin and password is 123123 and okay, now router is here r one. This is our R one, if you want to check, let’s do it graphically from here. Suppose execute some command show IP address, show IP IP interface brief. So yes, this is my IP which I just show you this one. This command iron here graphically. So this is called destination net with central net. To finish this topic, you can do port forwarding with the estimation net as well. There is a port forwarding, maybe the server which is running with some other port. Even make them like this one. Remove the services from external. Maybe it’s running on four four three, but internally it’s running on four four three.

Suppose so you can do this one as well. So the people will hit you on four four three. But when it’s reached to the firewall, firewall will translate four four three to 4443 and we’ll give it because it will check this thing and then it will check this. So you can do port forwarding as well. With virtual IP it’s also possible because for that purpose I need a server with different services. So I don’t have anything because it’s running on 80 port and this one is running on four four three. I cannot change the port and router. There is some command, but I don’t know so that I can show you this one. So in the pupil head from four four three it will use direct desk command. But when it’s reached to Firewall, it will translate them to this one. Because the service Insight is running on non default port. So it’s also possible with destination net. And that said that the topic was net, how we can configure net destination net in two different ways with central net and without central net. And there was a huge difference between two.

• Category: Uncategorized