Skip to main content
Old_Gregg
Old_Gregg
New Member
June 7, 2015
Solved

Fortigate 300C/100D inbound routing to DMZ

  • June 7, 2015
  • 4 replies
  • 5633 views

Hi,

I'm deploying one each of the above mentioned box. Both will essentially have the same setup, so I'll stick to the 300C for now. My question relates to inbound routing to the DMZ and what Fortinet best practice would be, I don't see anything specifically related to it in the literature I've read through so far. It's a Single WAN connected to the carrier via a /30 point to point link. The box also has a /27 subnet to play with which the carrier advertises for us. My intention is to use the /27 subnet for inbound traffic to Web and edge servers etc. I'm not entirely convinced on how best to config the /27 (relatively new to Fortigate), perhaps a sub interface on the WAN for the /27, perhaps a new zone for the /27 subnet....I'm thinking out loud here.

I would be grateful for any suggestions.

 

Cheers.

 

B. 

    Best answer by ede_pfau

    Hi,

     

    what you're looking for is the "Virtual IP" feature in "Firewall objects". A VIP translates the destination IP address to a 'mapped' address. In order to do so, you use the VIP as a destination address in a policy from your WAN interface to the DMZ interface.

    A VIP can either be 'straight through' or port forwarding. Original and mapped-to port need not be the same so you can have port translation at the same time.

    If you have several VIPs for your DMZ if might pay off to use a VIP group. Just create VIPs and put them into a VIP group, and use that as the destination address in your incoming policy.

    The VIP construct is not merely a NAT rule (more precisely: destination NAT). The FGT will proxy ARP requests for all active VIPs on the outward interface. Routing should be possible even without assigning a secondary IP to the WAN interface.

    If you have further questions after going over the Admin Guide (or the Cookbook) feel free to post them here.

    4 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 8, 2015

    Hi,

     

    what you're looking for is the "Virtual IP" feature in "Firewall objects". A VIP translates the destination IP address to a 'mapped' address. In order to do so, you use the VIP as a destination address in a policy from your WAN interface to the DMZ interface.

    A VIP can either be 'straight through' or port forwarding. Original and mapped-to port need not be the same so you can have port translation at the same time.

    If you have several VIPs for your DMZ if might pay off to use a VIP group. Just create VIPs and put them into a VIP group, and use that as the destination address in your incoming policy.

    The VIP construct is not merely a NAT rule (more precisely: destination NAT). The FGT will proxy ARP requests for all active VIPs on the outward interface. Routing should be possible even without assigning a secondary IP to the WAN interface.

    If you have further questions after going over the Admin Guide (or the Cookbook) feel free to post them here.

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    June 8, 2015

    Hi,

     

    what you're looking for is the "Virtual IP" feature in "Firewall objects". A VIP translates the destination IP address to a 'mapped' address. In order to do so, you use the VIP as a destination address in a policy from your WAN interface to the DMZ interface.

    A VIP can either be 'straight through' or port forwarding. Original and mapped-to port need not be the same so you can have port translation at the same time.

    If you have several VIPs for your DMZ if might pay off to use a VIP group. Just create VIPs and put them into a VIP group, and use that as the destination address in your incoming policy.

    The VIP construct is not merely a NAT rule (more precisely: destination NAT). The FGT will proxy ARP requests for all active VIPs on the outward interface. Routing should be possible even without assigning a secondary IP to the WAN interface.

    If you have further questions after going over the Admin Guide (or the Cookbook) feel free to post them here.

    Old_Gregg
    Old_GreggAuthor
    New Member
    June 9, 2015

    Hi Ede,

     

    I had all the VIP's in place and configured correctly and still nothing. After some diag sniffer logs from the source and destination IP's............turns out the target server wasn't responding to the SYN requests due to the windows firewall:/. Silly me!, it's always the simple ones that catch you. (Or maybe that's just me.)

     

    Thanks for the suggestions Ede, much appreciated.

     

    B.

      

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 9, 2015

    Ha ha, been there...glad it works now for you. Enjoy!

    Terms & ConditionsAccessibility statement