New Member

Question

Help with 1-1 Static NAT

Forum|Forum|13 years ago
April 2, 2013
11 replies
10159 views

Hi All, I want create a one to one static NAT for 2 servers through a fortigate-VM firewall. Server 1 VIP: (192.168.2.2) -> Server 1 Private IP: (10.0.3.2) Server 2 VIP: (192.168.2.3) -> Server 2 Private IP: (10.0.3.3) I cant seem to figure this out without checking the NAT option in a incoming traffic policy. Tried to follow the Fortigate documentation, but to put it nicely, it is less comprehensible for sure. Thank you!

rwpatterson

New Member

What you wrote looks complete to me. Just make sure you use the Virtual IP definition as the target in the policy, you should be done.

emnoc

New Member

I cant seem to figure this out without checking the NAT option in a incoming traffic policy.

You don' t need to check/enabled the NAT option when using VIPs for DNAT ( inbound )

ede_pfau

SuperUser

This is a direct crosspost from http://support.fortinet.com/forum/tm.asp?m=95662 I think we should discuss the matter in the original thread. OP has not answered my question about routing yet.

junglecomAuthor

New Member

Yeah, originally it was intended as a log question but quickly turned into configuration question. I appologize

junglecomAuthor

New Member

Only way I can access the server from a public IP address is to check the NAT box on the policy. If I uncheck it I can no longer access the server (ssh or http). what could I be doing wrong here? Please see my original thread for all the details http://support.fortinet.com/forum/tm.asp?m=95662

emnoc

New Member

Your answer is in your route-table and here in the other thread. - create one default route to this port Remove that 2nd route, remove your check NAT enable block and you should be golden.

emnoc

New Member

Will you have 2 posts going on, you made changes from the original start of this thread. And you didn' t heed our earlier suggestion & guidance. If you have the vip setup correctly, you don' t need nat enabled A photo says a thousand words; So what is it. port 1 or port 2?

Vt57346.jpg

junglecomAuthor

New Member

Sorry I started my config over removing all unnecessary IPs, since I still am unable to get this working. Below is all my settings simplified (reposted). Anyone see what I am missing here? Thank you very much for your help! (VIP Updated)

Qo38666.jpg

emnoc

New Member

diag debug flow is your friend, try it and see what it tells you :)

junglecomAuthor

New Member

Sorry for being a nitwit here but figured out the issue. Rule number #1 of IT: Always check the firewall of the server first. My co-worker, unknown to me, had set iptables to only accept traffic from fortigate private ip address. This is why i could access with incoming NAT turned on and not with it OFF. Cause the source IP would change to the original public IP of the source traffic. Thank you all for your help with this.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded