How to put two ports on the same network?

Hi Cos, I don' t think you can achieve what you are trying to do. I believe (but not completely sure) that you can either have the whole unit in transparent mode or in NAT/Route mode. In transparent mode, all interfaces are on the same subnet. This is no good for your internal network. In NAT/Route mode all interfaces must be on seperate subnets. No good for your server/internet connection. However there are ways around it. By far your best option is to put your server on a new private address and use a VIP on the fortigate to map this to the required RIPE address. This is definately best practice for connecting machines to teh internet for public access. If for some reason you really can' t do this, you can create a new VDOM in transparent mode. In effect you then have two totally seperate firewalls, on can be used for the server and the other for the lan to server/intenet side. This method is complex and not really advised on a 50 due to memory limitations. Jon

Why would you need another switch in the mix? After the T-1 is terminated to good old Ethernet, plug it into the FortiGate and go! Realistically, there is no need to map every PC to a RIPE/ARIN IP address. The Fortigate will NAT the outgoing traffic for you. Save those public IPs for future expansion. Once you have the T-1 plugged in (assuming to the WAN port), and the switch with all your devices as well (internal here), just create a virtual IP to map that ' public' server from a RIPE/ARIN IP to the internal IP address. Make sure in any policy that faces the Internet, you check off the NAT box, or you won' t get far. If the ' public' server is on a third subnet, stick it on the DMZ port, and move the virtual IP definition there instead. Good luck

Jon: No good. The public server needs to be accessed from both inside and outside our office. If we put it on the internal network, it would get NATed, and people in the office would need to use a private IP to access it. A majority of them use laptops which they bring into and out of the office. A solution which forces them to change their DNS configuration every time they enter or leave the office, or frob /etc/hosts, or use a totally different set of bookmarks (with virtual web servers answering to the different names), is just too annoying. I want to rely on DNS to give the IP of the public server, and everyone to be able to use DNS to access it, regardless of whether they' re in or out of the office. Bob: Of course " there is no need to map every PC to a RIPE/ARIN IP address" - we just want to do this for *one* server. See my response to Jon, above, for why putting it on the internal net and NATing is not a good solution. Ideally, yes, a DMZ would be the right thing to do. Unfortunately our T1 ISP makes it difficult to split up our public IPs into more than one subnet, and we' d lose some support if we did that. And really the only reason we' d need a DMZ is to make it easier to configure the firewall; other than that, we don' t mind putting the public server on the front network.

Create a new Virtual Domain and put the public server on the lan side of that. The Fortigate will treat it as if it' s a completely separate physical box.

I need to test this, but you can create a VIP on both the public and the LAn side that point to teh same address. Give me a hour or so to prove this.

Yes that works, you can have the server on an RFC address and create theVIP for theexternal interface and a VIP for the LAN interface. That way anyone typing in the RIPE address for the server will get to it.

No it won' t VIP and NAT only happen once traffic passes through the FG, you need to set it up on a seperate network, and also for security you should do. Imagine a compromise of the server through some unknown means. If it is on your LAN you are wide open. This way you can be specific about what access is allowed back into teh LAN from your server and tie that down as well.

Hi! Actually you can do this with VIP' s. Just define your internal network. then define another (independent) DMZ network for your server. Create a VIP on the external interface and write a policy from " all" to the VIP (so that your server is public). Then define a NAT Policy for your clients from internal to WAN (both policies including the desired services). Now you can connect tho the VIP from internal and wan. On the other hand, you can ope this with routing (had to use it with Netscreen/Juniper devices, since they do not support this *loopback-pat* or whatever you call it.) ut this needs a bit of cooperation of your internat provider. Let' s start off with a simple configuration. your public ip' s (example) 11.2.3.16-31 .16 -Network adress, unusable .17 Router of ISP .18 Your FG .19 - .30 spare .31 - Broadcast adress, don' t use! let' s split this /28 network in two /29 subnets. One is located between the FG and the ISP Router and one is located between your server and your DMZ interface. What' s to change: * change the Netmask of your external interface to /29. * change the ip of the DMZ interface to some IP of the second half, excluding the first and last. (in our exaple 11.2.3.25-30 would be possible, let' s take .25) * change the ip of your server to any other spare from the second subnet. let' s take .26 * default GW of your server is your FG then (.25 !!!) * On ISP' s router: change the netmask from /28 to /29 and write a static route that the Network 10.3.2.24/29 is reachable via gateway 11.3.2.18 (Your external interface of the FG) your public ip' s (example) 11.2.3.16-23 .16 -Network adress, unusable .17 Router of ISP .18 Your FG .19 - .22 spare .23 - Broadcast adress, don' t use! AND your public ip' s (example) 11.2.3.24-31 .24 -Network adress, unusable .25 Your FG' s DMZ Interface .26 Your Server .27 - .30 spare .31 - Broadcast adress, don' t use! That' s it.

A much simpler solution is to use an ip pool on your outgoing rules. Step 1. Create your VIP: Name External Interface Static nat External Address Internal Address Port forwarding if you' re restricting ports... Step 2 Create an ip pool Outgoing Users -> start ip - end ip Give this an external ip address DIFFERENT from the extenal address on your VIP Step 3 Create a policy from Wan -> Internal all - VIP Name - always - any - protection profile - accept Enable NAT if it' s not an smtp server Step 4 Create a policy from Internal -> Wan all users - any always any (unless you restrict outgoing ports) protection profile ... Click NAT and click DYNAMIC IP POOL and select the Outgoing Users pool. This makes your users use an ip address different from your external address. You do not need to bind this address - the Fortigate will figure it out. This allows access to the VIP external addy from any internal addy.

Not sure if i am missing the plot here, but whats wrong with just using vip/nat and having the server in the DMZ port using private ip range thats different to the private lan range? this is the normal setup, and i know of no reason why you shouldnt do that, unless there is some app on the server that insists on using the real public ip address, which is rare nowadays. Using this normal setup, the client pc' s would be able to access the server using the public IP OR the DMZ private ip address. Wheres the problem with that? sorry if i have misunderstood a post somewhere..