Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

DariBren
New Contributor

Created on ‎08-31-2016 08:40 AM

How to: Configure NAT 1:1 from one of the WAN IPs to LAN1 address

Hello,

I am new to your products,
One of my companies I follow informed me that the ISP assigned an extra new pool of IPs to the router 93.39.x.x/29 and asked me to redirect all the incoming traffic from one of these addresses to the local 192.168.4.181

I tried to follow some suggestions I found on google but nothing worked.
Now I went back to the starting situation, the WAN interface use as primary address one that has nothing to do with 93.39.x.x/29

Can you guys point me in the right direction?
Do I have to set a secondary IP, do I have to create a VIP? I'd really appreciate a step-by-step support here, I'm kind of desperate...


Labels:
341
0 Kudos
1 Solution
stefszab
New Contributor II
In response to TonyTaylor

Created on ‎08-31-2016 08:10 PM

yes you’re right he needs DNAT for 192.168.4.181

take one ip from the pool, the first or the last VIP and map with internal 192.168.4.181 - DNAT
the rest of the range can be used for NAT - ip pool with overload.

the question is why the ISP asked you to do that?what services do you have on 192.168.4.181?
with VIP you need to creat one entry for every service that you have on that internal ip, and after that make a group, then create policy…etc.

View solution in original post

336
0 Kudos
4 REPLIES 4
TonyTaylor
New Contributor

Created on ‎08-31-2016 08:45 AM

You can use a VIP if the block lands on the interface from the ISP.
Typically this block should be routed down to the WAN interface IP. This is
the common way I have seen it. This will have to be done from the ISP
side...then you can use the IPs in a VIP and not have to assign one to the
interface.

Tony Taylor
Technical Ninja and Proprietor, Foundation Republic



336
0 Kudos
stefszab
New Contributor II
In response to TonyTaylor

Created on ‎08-31-2016 08:53 AM


ip pools i think is more what he needs, virtual if he wants DNAT.
creat ip pool with overload, edit policy and choose use dynamic ip pool, and that should be all.


336
0 Kudos
TonyTaylor
New Contributor
In response to stefszab

Created on ‎08-31-2016 09:07 AM

reads like a VIP to me, but maybe I misread.

Do you need to redirect, as an example, TCP/80 to the 192.168.4.181 addy?
If so, then, unless I have been doing it wrong for years, you need a VIP
attached the inbound flow from WAN > Internal (wherever 192.168.4.x lives)



Tony Taylor
Technical Ninja and Proprietor, Foundation Republic


336
0 Kudos
stefszab
New Contributor II
In response to TonyTaylor

Created on ‎08-31-2016 08:10 PM

yes you’re right he needs DNAT for 192.168.4.181

take one ip from the pool, the first or the last VIP and map with internal 192.168.4.181 - DNAT
the rest of the range can be used for NAT - ip pool with overload.

the question is why the ISP asked you to do that?what services do you have on 192.168.4.181?
with VIP you need to creat one entry for every service that you have on that internal ip, and after that make a group, then create policy…etc.

337
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.