Skip to main content
A
Anonymous_User
Contributor
February 20, 2007
Question

External Interface using private IP to router

  • February 20, 2007
  • 4 replies
  • 4446 views
We have our internet router connected to the fortigate firewall via a private ip range. The router simply forwards all our public addresses to the firewall, and all it well except for one thing. The firewall itself cannot connect to anything on the internet, such as needed for Fortiguard web filtering and anti-spam. Internet <--> router 172.20.1.1 <--> 172.20.1.2 Firewall - 10.1.1.2 <--> LAN I had thought about this, and discovered a proxy setting, but alas that only works for the virus and IPS signature auto-update. I have tried assigning a public address to the external port of the firewall, then added the 172.20.1.2 address as a secondary address. This will allow me to use the " execute ping-options source" to that public address, then ping works. I can' t figure out a way to " source" or NAT the connections for web filtering and anti-spam. I have also tried creating a virtual-IP for the firewalls external public address to it' s private address. The router is a leased router from our ISP. I know it has the ability to NAT, but I have been reluctant to ask them to NAT our private 172 addresses, since I don' t have direct control over that device. That' s my option if I can' t figure out a way to do it at the firewall.

    4 replies

    A
    Anonymous_UserAuthor
    Contributor
    February 21, 2007
    Don' t NAT your private ip addresses! Then you will be double NAT' ing to the firewall. Bad Idea. If anything they need to route your public ip' s to the fortigate then let the fortigate be the border router for your public ip' s. Regardless, lets fix the immediate problem. I have some questions. Is the firewall in NAT or Transparent mode? What are your external ip' s? Is this a brand new installation? Has this ever worked? Do you have a default route of 0.0.0.0/0.0.0.0 -> 172.20.1.1? This is often forgotten that the fortigate' s don' t put in the default for you. Let me know, Nick
    A
    Anonymous_UserAuthor
    Contributor
    February 21, 2007
    It is running in NAT mode. It works fine for everything except connections initiated from the firewall itself. The comptuers on the LAN can connect to the internet, and are NAT' ed to the public addresses in our range 208.191.50.0/23. For example: 1) Workstation on the LAN connects to www.google.com, the source is nat' ed from 10.x.x.x to 208.191.x.x, and routed correctly. 2) If the firewall itself attempts to connect to www.google.com (such as a ping from the console). The source address would be 172.20.1.2, which can easiely make it to the next hop 172.20.1.1, but that router does what is proper and drops the packet, because the source is not a publicly routable address. This is a common scenario for router-to-router connections to be on private addresses so as to not waste public ip-addresses. When I was asked about this, I agreed. It seemed a good idea to me that connections from the internet could never be made to the firewall itself. I just neglected to think about the firewall making connections out from it' s own address. With my previous FortiGate unit I didn' t do any anti-spam, anti-virus, or web filtering, so the firewall never needed to initiate connections to the internet, only NAT connections as they passed through. So...The oversight is on my part, but I was hoping there could be a solution at the firewall. The proper alternative is for me to pull out a /30 subnet from my public addresses and use that for the router-to-firewall connection, or to simply not use the web filtering and anti-spam features. I don' t need the anti-spam anyway and not sure if the web filtering will be of much benifit either, I just wanted to test it.
    rwpatterson
    rwpatterson
    New Member
    February 21, 2007
    If you have the spare subnets, route them inward, and set up the router-Fortigate LAN with a public IP. That' s how we do it.
    A
    Anonymous_UserAuthor
    Contributor
    February 21, 2007
    Oh ok. I see. Your border router isn' t NAT' ing. That is the part I was missing. I agree with you, routing a /30 and using that for your public is the right answer. Or you could setup NAT on the border router just for the serial interface of the firewall. The Spam filtering really isn' t that great but the web-filtering is awesome. Nick
    A
    Anonymous_UserAuthor
    Contributor
    February 21, 2007
    Ok thanks for your input guys.
    Terms & ConditionsAccessibility statement