Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎03-30-2009 01:16 PM

Pass through IP question

I' m not having much luck setting this up and was hoping for feedback. This was all setup before my arrival. Our ISP' s router feeding into our Fortigate-60 and is just doing straight passthrough. The IP of WAN1 is a.b.c.2 with a netmask of 255.255.255.224 We' ve split the traffic to internal (going to 192.168.a.x) and the DMZ (192.168.b.x) Typically we NAT everything we want to show on the outside, and don' t have an issue with it. We have a router from our phone provider that needs to be setup with an external IP address and will not work with NATing. So we' ve set the IP address of this device to a.b.c.28 with the 255.255.255.224 netmask and plugged it into the DMZ switch. How can I set the Fortigate so that it will pass traffic through to that IP (specifically PPTP traffic) without NATing it? Any help would be greatly appreciated.
4196
0 Kudos
3 REPLIES 3
g3rman
New Contributor

Created on ‎03-30-2009 01:35 PM

Here is one way: Create a rule: Internal -> External Source: 192.168.a.x Destination: a.b.c.28 Action: Permit Nat: unchecked This will allow traffic from your internal network to hit the VoIP router without being translated. Please make sure that this rule appears in your rulebase ABOVE any other rule which permits traffic outbound from the 192.168.a network. Also, you need to add the following route on your VoIP router: Destination: 192.168.a.x Gateway: a.b.c.2 This is needed so the router can get back to the internal network.
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
2732
0 Kudos
UkWizard
New Contributor

Created on ‎03-30-2009 01:42 PM

putting the phone router in the DMZ wouldnt work, if it absolutely needs to physically have a public IP, then it has to be outside of the firewall on a spare IP address. So this is effectively also plugged into the WAN-ISP Router network. This obviously means your phone router is unprotected by the fortinet. But this is what would happen if they insist on a public IP. there is one other way to do it, but requires you to lose a chunk of your provided ISP IP range, and you would need to work with the ISP to reconfigure their router to narrow the subnet and add routes to your fortinet (to essentially put a subnet of your current range on another internal network. this would also require a spare interface port as well.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
2732
0 Kudos
g3rman
New Contributor

Created on ‎03-30-2009 02:16 PM

Or you can ask your ISP for another block of 4 or 8 IP addresses to assign to a " public DMZ" .
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
2732
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.