Skip to main content
bbeverag
bbeverag
New Member
January 19, 2016
Question

Firewall -> source and dnat

  • January 19, 2016
  • 2 replies
  • 7406 views

I have two vdoms that are connected by inter vdom link.  To simplify the description, vdom 1 is 10.0.0.0/8 and vdom 2 is 192.168.0.0/21.  We have a static route defined on each to route properly, and each is the default originator for their network.  There are a number of firewall rules defined on each of these vdoms to only allow specific traffic from the other into themselves.  In essence, they both allow all traffic outbound to the other but filters the inbound.

 

The organization with vdom 1 has now added subnets in 192.168.0.0/21 to their network, so we have to now NAT the traffic from vdom 2.  I am having trouble figuring out the best way to do this with the fortigate while still retaining the protections in place by the firewall.  Initially I thought that a VIP that simply would map something like 10.192.0.0/21 to 192.168.0.0/21 would work, but I believe that I lose all of my other firewall protections if I used a pool of that size.  Likewise, I cannot configure that large VIP pool as a last rule and then other VIPs that are a subset, as I have a duplicate address defined.  This is a problem in the instance that I would like to allow all ICMP traffic but then limit host 1 to RDP and host 2 SSH for example.

 

Any pointers would be greatly appreciated.  

    2 replies

    JohnAgora
    JohnAgora
    New Member
    January 20, 2016

    What about using NAT and another private ip range (172.16.0.0/12 or the rest of 192.168.0.0/16)?

    Also, some diagrams may help to have a more clear scenario.

    bbeverag
    bbeveragAuthor
    New Member
    January 21, 2016

    Attached is a diagram.  The green item is the one that is added.  All I want to do is map ips on vdom2 into another range in a static 1:1 manner.  192.168.1.1 becomes 10.192.1.1, 192.168.1.2 becomes 10.192.1.2, etc..  It's pretty easy to accomplish this on other platforms, so I am assuming I am just missing something in FortiOS.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 22, 2016

    Still not clear what you want to achieve, sorry. The diagram doesn't really help :)

    Do you want to NAT the destination IPs, or the source IPs?

    If you have overlapping NAT pools then you could use a VIP group with several /22 VIPs, for instance. Mapping one subnet to another 1:1 is nothing special, just a VIP.

    bbeverag
    bbeveragAuthor
    New Member
    January 22, 2016

    Each VIP would then be subject to the same firewall rule though, right?  How can I make a large VIP range and use multiple firewall rules on subsets of it?

    Terms & ConditionsAccessibility statement