Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

DariBren
New Contributor

How to: Configure NAT 1:1 from one of the WAN IPs to LAN1 address

Hello,

I am new to your products,
One of my companies I follow informed me that the ISP assigned an extra new pool of IPs to the router 93.39.x.x/29 and asked me to redirect all the incoming traffic from one of these addresses to the local 192.168.4.181

I tried to follow some suggestions I found on google but nothing worked.
Now I went back to the starting situation, the WAN interface use as primary address one that has nothing to do with 93.39.x.x/29

Can you guys point me in the right direction?
Do I have to set a secondary IP, do I have to create a VIP? I'd really appreciate a step-by-step support here, I'm kind of desperate...


1 Solution
stefszab
New Contributor II

yes you’re right he needs DNAT for 192.168.4.181

take one ip from the pool, the first or the last VIP and map with internal 192.168.4.181 - DNAT
the rest of the range can be used for NAT - ip pool with overload.

the question is why the ISP asked you to do that?what services do you have on 192.168.4.181?
with VIP you need to creat one entry for every service that you have on that internal ip, and after that make a group, then create policy…etc.

View solution in original post

4 REPLIES 4
TonyTaylor
New Contributor

You can use a VIP if the block lands on the interface from the ISP.
Typically this block should be routed down to the WAN interface IP. This is
the common way I have seen it. This will have to be done from the ISP
side...then you can use the IPs in a VIP and not have to assign one to the
interface.

Tony Taylor
Technical Ninja and Proprietor, Foundation Republic



stefszab
New Contributor II


ip pools i think is more what he needs, virtual if he wants DNAT.
creat ip pool with overload, edit policy and choose use dynamic ip pool, and that should be all.


TonyTaylor

reads like a VIP to me, but maybe I misread.

Do you need to redirect, as an example, TCP/80 to the 192.168.4.181 addy?
If so, then, unless I have been doing it wrong for years, you need a VIP
attached the inbound flow from WAN > Internal (wherever 192.168.4.x lives)



Tony Taylor
Technical Ninja and Proprietor, Foundation Republic


stefszab
New Contributor II

yes you’re right he needs DNAT for 192.168.4.181

take one ip from the pool, the first or the last VIP and map with internal 192.168.4.181 - DNAT
the rest of the range can be used for NAT - ip pool with overload.

the question is why the ISP asked you to do that?what services do you have on 192.168.4.181?
with VIP you need to creat one entry for every service that you have on that internal ip, and after that make a group, then create policy…etc.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.