bennethos
New Contributor

Fortigate 60-E nat issues

 

Hi,

 

I'm new to fortinet and need some assistance getting the NAT to work.

Got a modem/router in front of the fortigate that is not bridged to the fortinet, but I was able to "expose" all ports to the fortinet. Configured 2 nat rules (vip), one for ssh and one for RDP

 

I guess I should start by sending you the configfile ? Would somebody be so kind to share what you guys need to help me out ?

 

thank you

6 REPLIES 6
ede_pfau
Esteemed Contributor III

hi,

and welcome to the forums.

You seem to have forgotten to state what your problem is.

In one location I run a FGT as "exposed host" behind a NAT DSL router - no problems at all.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
bennethos

 

 

If you cant the fortinet VIP's I created as 2nd nat , then yes I'm using double NAT

My problem is simple, I can't reach my hosts through portforwarding (exposed host) and the fortinet VIPS

 

 

Internet

    I

VDSL router/modem 192.168.178.254 (exposed all ports in this modem, to the WAN 1 interface of fortinet)

    I

WAN 1 192.168.178.253

    I

created a VIP for testing purposes : 

 

network interface WAN1

Type STATIC NAT (can't change this)

External IP : 192.168.178.253 (WAN1 ip, zone WAN)

Internal IP : 192.168.1.22 (zone LAN)

port 22 for all (external and map to = same)

 

created policy from zone WAN to zone LAN for SSH port 22  

 

problem is that I get a timeout and i need some help troubleshooting this.

 

thank you

brycemd

"created policy from zone WAN to zone LAN for SSH port 22"

 

Did you select the VIP as the destination? If you aren't familiar with FortiGate, it might make sense to create a regular firewall rule to allow the traffic. But, the destination needs to be the VIP itself.

 

Other than that, try with 0.0.0.0 as the external IP in the VIP(this requires you to select an interface other than 'any')

Retro
New Contributor

Hi bennthos

 

When you say that you are no using a bridge does that mean that you are using double NAT?

 

- Retro

 

 

 

Itguy
New Contributor

You either bridge the modem/router, or you run Fortinet in transparent mode.

 

Simple really.

ede_pfau
Esteemed Contributor III

This looks too complicated...as I posted I run the same setup as you - FritzBox to the internet, LAN1 to WAN1 on FGT, an intermediate network like your 192.168.1.x, "exposed host" on FB. Works very well.

 

Some hints:

 

Check carefully that you have put the VIP as the destination address into the policy 'wan1' -> 'lan'.

 

Do not specify a port translation even if it's port 22 to port 22. If you do, ping won't work (as it doesn't use ports) and you could have the impression that the VIP isn't working. Narrow down your security in the policy.

 

Follow @brycemd's advice and use the wildcard '0.0.0.0' for the external address in the VIP. It will match whichever public IP the FB will have at any time.

 

Let the FB do the DynDNS provisioning - it monitors the WAN line and will notify the DDNS server reliably.


Ede

"Kernel panic: Aiee, killing interrupt handler!"