Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alexm3
New Contributor

NAT from one computer to another

Good afternoon! 

 

I am a networking rookie currently working with a Fortigate 80F, and am trying to understand how NAT works. I have two computers connected to the router with static IP addresses of 192.168.1.1 (PC1) and 192.168.1.101 (PC2). I am looking to set something basic up in which I can ping a virtual IP address (let's say 192.168.50.1) on PC1, and this will translate to PC2's IP address and get a reply back from PC2. I set up a Virtual IP to do this on PC1, and still have all interfaces on the hardware switch. I didn't get any response from the ping. I also added an IPv4 policy to allow traffic from the internal switch through that pings the VIP, but this also didn't work. Am I missing something here? I'm confused as to why this isn't working. I would really appreciate any insights anyone can provide!

1 Solution
Toshi_Esumi
Esteemed Contributor II

You should try two PCs on two different interfaces. I don't know if an 80F has hard-switch like "internal" to combine all LAN ports. But if so, you should break them into individual ports like internal1 and internal2. Then assign different subnets to each interface and connect a PC to one port.

So that it's easy to understand what is external interface what is internal in terms of VIP, which is described at cookbooks and other documents.

View solution in original post

11 REPLIES 11
Toshi_Esumi
Esteemed Contributor II

You should try two PCs on two different interfaces. I don't know if an 80F has hard-switch like "internal" to combine all LAN ports. But if so, you should break them into individual ports like internal1 and internal2. Then assign different subnets to each interface and connect a PC to one port.

So that it's easy to understand what is external interface what is internal in terms of VIP, which is described at cookbooks and other documents.

alexm3
New Contributor

Thanks for your helpful reply! I am still having some trouble unfortunately. I did what you said and removed interface3 and interface4 from the hardware switch and gave them their own subnets (192.168.2.0/24 and 192.168.3.0/24 respectively). I was using the following post to try and do my NATing:

https://forum.fortinet.com/tm.aspx?m=136309

 

I followed that post exactly, just using internal on both sides instead of having a side that faced the internet, and am still having no luck. Would the NATing still look like the above post when you have two private IP address on both the internal and external sides? Or does this require something different?

Toshi_Esumi
Esteemed Contributor II

My guess is you didn't set a set of policies right. CLI is easier to examine. Get in CLI via console, ssh, or CLI on GUI. Then,

  config firewall policy

  show | grep -f interface3 (I'm not sure this is the correct interface name. 60F has internal1, internal2, ...)

Then show us the pair of policies you created in GUI.

alexm3

Here is the policy I created for the router. The idea here is to use NAT to communicate to another PC using a simple routed address. I realize this structure may not make sense, as the computers could communicate already given their IP addresses, but I wanted to use this as a learning exercise. If it helps, here is the diagram of what I am trying to do:

I really appreciate any help you can give me! Thank you so much in advance

alexm3

I realize the images may not have shown up on the previous post. Here's the firewall policy

alexm3
New Contributor

Here's a diagram to ensure you know what I'm trying to do

 

Toshi_Esumi
Esteemed Contributor II

First, you should be able to copy&past text.

I thought you changed the subnets with 192.168.2 and .3. The diagram is showing the old IPs.

The policies look right. So next is:

  show firewall vip

  show firewall ippool

I'm assuming you have only one vip and ippool.

alexm3

Hi Toshi. Ah I think I do see at least one issue currently. I didn't change the IPs on the computers, just on the internal3 and internal4 interfaces themselves. Is this an issue? Do I need to have the PC plugged into internal3 to have a 2.x address and the PC plugged into internal4 to have a 3.x address?

 

Here's the output of the policies:

 

config firewall vip
    edit "RSM1"
        set uuid 2719d366-3cdd-51ec-ba44-29057e035375
        set extip 192.168.50.1
        set extintf "any"
        set mappedip "192.168.1.101"
    next
end

 

config firewall ippool
    edit "R1IPpool"
        set type one-to-one
        set startip 192.168.1.1
        set endip 192.168.1.1
    next
end
rwpatterson
Valued Contributor III

alexm3 wrote:

Here's a diagram to ensure you know what I'm trying to do

 

In your diagram, PC 2 cannot be on a different interface if the subnet mask is a class C (24 bit).

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com