Skip to main content
lmsaeb
lmsaeb
New Member
August 30, 2019
Question

Confused - IPV4 Rules and Allowing Traffic

  • August 30, 2019
  • 2 replies
  • 4180 views

Hi All, 

 

I am new to the Fortigate/FortiOS and having some issues wrapping my head around this scenario:

 

I have an external source - say x.x.x.x and I need to allow traffic from port 123 to an y.y.y.y. I add the IPv4 rule and it does nothing. Apparently, the only way this will work is if I add a Virtual IP mapping from x.x.x.x to y.y.y.y on port 636. The problem i that if I do that, any other source sending traffic on port 123 gets routed to y.y.y.y.

 

I have experience using a Sonicwall and it did not work like this. I only needed to add NAT when I really needed to map a public IP address to an internal one - i.e., public IP to a webserver on my DMZ. Otherwise, I just added a policy to allow the traffic into my network.

 

This does not make sense to me that I would to setup a NAT rule for this. 

 

Is this indeed the way it works?

    2 replies

    James_G
    James_G
    New Member
    August 30, 2019

    Unless you have a publicly routeable IPv4 subnet range internally (unlikely - but I have seen in the past on very legacy networks) you are going to need some sort of NAT.

     

    Can can limit the NAT to a specific port, and then also have a policy that only allows traffic from specific sources, that references said NAT.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    August 30, 2019

    I'm a bit confused about port 123 and then again port 636...but that doesn't matter.

    Policies allow traffic (session setup to be precise) from one interface to another, or, in fact, across the same interface if there are 2 subnets on it (e.g. via secondary address). It's not quite clear what your situation is.

    x.x.x.x is an external address - so this is a source address. y.y.y.y on the other hand is a destination. If both are on directly connected subnets (one FGT port in each subnet) then routing is automatically set up, and you will only need a policy to allow traffic.

    If that doesn't work please describe what you see and what you've tried. Bytes on policy counter? Sniffing? diag debug flow? Whatever.

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 30, 2019

    There are three IPs(ranges) you need to be clear when you configure VIP. source, external-ip and destination.

    The source is the external on the internet accessing the external-ip from. The external-ip is regularly the outside interface IP or any reachable IP from the internet where you applies the VIP. Then the destination is the internal IP you want to direct some particular accesses from outside to.

     

    Is x.x.x.x the source on the internet, and y.y.y.y is the destination inside? Then what is the external-ip?

    emnoc
    emnoc
    New Member
    August 30, 2019

    The FGT would like the  Sonicwall, the NAT is taken care of in the VIP. When you by the to address ( external to internal map) that is the NAT. In a VIP it would be DNAT.

     

    You still need the rule to allow src x.x.x.x to y.y.y.y and the service.

     

    Ken 

    Terms & ConditionsAccessibility statement