Description
This article describes how to set port translation (port forwarding) by using Virtual IPs without modifying IP address.
Starting with FortiOS 6.0.0 release, when configuring VIP as static-nat type, with same source and destination IP address, but different export and mapped port error message 'Static NAT's extip have be different from 'mappedip'.
Example (FortiOS 5.6.12) – Configure port translation as static-nat type (default type setting)
FortiGate5_6_12 (testVIP) # show
# config firewall vip
edit "testVIP"
set extip 1.1.1.1
set extintf "any"
set portforward enable
set mappedip "1.1.1.1"
set extport 222
set mappedport 22
next
end
Example (FortiOS 6.0.0) – It is not possible to configure port translation as static-nat type (default type setting)
FortiGate6_0_0 (testVIP) # show
# config firewall vip
edit "testVIP"
set type load-balance
set extip 1.1.1.1
set extintf "any"
set portforward enable
set mappedip "1.1.1.1"
set extport 222
set mappedport 22
next
end
FortiGate6_0_0 (testVIP) next
Static NAT's extip should be different from mappedip.
object check operator error, -8, discard the setting
Command fail. Return code 1
Solution
When FortiGate VIP is set to type: load-balance, the same settings will be allowed:
# config firewall vip
edit " testVIP "
set type load-balance
set extip 1.1.1.1
set arp-reply disable
set extintf "any"
set portforward enable
set mappedip "1.1.1.1"
set extport 222
set mappedport 22
next
end
