Explorer

Solved

port forwarding natting using outside interface that is private ip?

Forum|Forum|4 years ago
February 15, 2022
5 replies
7167 views

in my setup the firewall outside interface uses a private ip as my isp router forwards my public ips toward my private outside interface and my existing firewall is cisco asa and it have nat rule where it does port forwarding natting using the outside interface which is a private ip "192.168.10.2". I need to move this port forwarding rule to my new fortigate which will replace my asa. so in order to do this should I put in "external ip " my private outside interface ip and in the "mapped ip" I will put my internal server ip?

FortiGate

Best answer by Toshi_Esumi

The external IP of a VIP should be the public IP that the incoming packets have as the destination address, regardless what the incoming interface IP is. Then the VIP would map it to the local server IP.

Toshi

Toshi_EsumiAnswer

SuperUser

The external IP of a VIP should be the public IP that the incoming packets have as the destination address, regardless what the incoming interface IP is. Then the VIP would map it to the local server IP.

Toshi

bzh87Author

Explorer

see my outside interface ip for example "192.168.10.2" get natted into "195.1.1.1" when it goes to my isp router so when 195.1.1.1 comes to my isp router it will be turned into 192.168.10.2 which is my outside interface so i dont think 195.1.1.1 actually hit my interface? also in the cisco asa the nat rule shows source any and destination my outside interface

Toshi_Esumi

SuperUser

Ok, misread. I thought your ISP just forwarded them without NATing.

The corrected statement should be "The external IP of a VIP should be the IP that the incoming packets have as the destination address when arrive at the FGT..." So the interface IP then.

bzh87Author

Explorer

yeah but this is the case of my outside private interface as for the rest of my public subnet the isp seems to route it toward my private outside interface as at the moment the asa have nat rules that uses the public ip.

this is the reason behind my confusion.

Toshi_Esumi

SuperUser

Those are two different paths for packets coming from outside. You need to treat them accordingly. But you already know exactly how they're working at ASA and would be working on the FGT. Just try it by trusting your instincts then adjust it if it doesn't work. Or ask others at that time.

bzh87Author

Explorer

just to make sure I'm converting correctly I attached a snap of both rules on asa and FGT. Please correct me if i wrong. The asa service bracket have a specific port as source and any port as destination.

Toshi_Esumi

SuperUser

I don't know much about ASA but I remember Cisco's 1-to-1 NAT works on both ways. FortiGate's NAT is directional and separated between DNAT and SNAT. The VIP config+policy is only for out-to-in DNAT. For SNAT you need to enable it on in-to-out policy which uses the outgoing interface IP by default. You probably have it already then it's good for this particular traffic for the DNAT server destination.

DNAT/VIP config itself doesn't have much to tweak other than those IPs you masked.

Toshi

bzh87Author

Explorer

if i want to make an ip to go out with a specific public ip do i create a rule from inside to outside and then enable nat and choose dynamic ip and set that ip for example 195.1.1.1-195.1.1.1 as in the below picture?

Toshi_Esumi

SuperUser

You are correct. Since you have only one internal IP, overload would work as well.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded