Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rm_beginner
New Contributor

Port Forwarding RDP not Working in FORTIGATE 60B connected to HUAWEI HG8245T

Hi Guys, Sorry for my english. I have testing the fortigate 60B not yet renew our license is there any effect the license in port forwarding?.

 

How to explain this I am very new in fortigate. my interface wan1 is connected to HUAWEI Router so I am just joining the FORTIGATE on that router to grab the DHCP Ip in my wan1 interface settings and it was successfull.

 

wan1 interface: ip: 192.168.100.3

subnet: 255.255.255.0

gateway: 192.168.100.1

dns: ok

internal interface: dhcp server 192.168.1.110 - 210

subnet 255.255.255.0

gateway: 192.168.1.99

 

i have external ip when I click whatismyip and it gives me xxx.xxx.xxx.xxx (for security I cannot show this).

 

I set up a virtual ip port forwarding using the EXTERNAL IP xxx.xxx.xxx.xxx to map to 192.168.1.101

i create MYRDP the external service port and map to port number 3389.

 

Then I created the Firewall policy

 

Source Interface: wan1 Source Address: all Destination Interface: internal Destination address: MYRDP Schedule: always Service: any action accept NAT: i did not put check fixed port: I did not put check

 

what is wrong in my setup?  Thanks you guys for your help

 

 

 

 

8 REPLIES 8
MikePruett
Valued Contributor

You need to make the router device pass IP's directly to the Gate (place modem or ISP device in bridge mode) so that the WAN interface of the Gate gets the external address. You have double NAT going on which complicates things currently for you.

Mike Pruett Fortinet GURU | Fortinet Training Videos
rm_beginner

Thank you for your reply.

Is there any other solutions to reroute the external ip from the 1st NAT (MODEM) to the 2nd NAT(FTG) or mapped the external IP to the 2NAT IP?

because a lot of user using the 1st NAT I am just joined the FTG to the Network and create the 2nd NAT.

Is there any CLI commands that I can run?

 

Thank you.

Gypsy_Dave
New Contributor III

You need to click to enable NAT on the firewall rule if port forwarding from WAN to LAN. 

localhost

Robbo007, enabling NAT on the firewall rule, will enable source nat, which you don't need in this case.

 

rm_beginner:

 

Since you are double NATting, it's also necessary to configure port forwarding on your Hauwei Router.

(External IP->Fortigate wan1 IP)

 

External IP Address/Range of your VIP object on the Fortigate should be 0.0.0.0, because you are running DHCP on WAN1.

 

rm_beginner

Thanks to all your reply: Localhost:

 

Still Not Working do I missed something? Thank you

 

MY MODEM SETTINGS IN PORT FORWARDING

Protocol:TCP External start port: 3389 External end port: 3389 Internal start port: 3389 Internal end port: 3389 External source start port: blank External source end port: blank Mapping Name: FTG60B

 

Internal Host: 192.168.100.3 <-------this is my wan1 interface External Source IP address: xxx.xxx.xxx.xxx (shows by whatismyip)

MY FTG60B WAN1 INTERFACE

 

IP ADDRESS: 192.168.100.3 <----mapped ip SUBNET: 255.255.255.0 GATEWAY: 192.168.100.1

VIP Settings

 

Name: MYRDP External Interface: wan1 Type: Static NAT External IP Address/Range: 0.0.0.0 <-- like what you said Mapped IP Address/Range: 192.168.1.111

 

NAT is disable in my Policy

localhost

Windows Firewall might still be an issue?

 

Can you post the config of your VIP object and the firwall policy?

 

#config firewall vip

and

#config firewall policy

 

Also try and use tcpdump to check if packets are coming in on the Fortigate and going out on the correct interface:

 

#diagnose sniffer packet any 'port 3389' 4

Nils

rm_beginner wrote:

Thanks to all your reply: Localhost:

 

Still Not Working do I missed something? Thank you

 

MY MODEM SETTINGS IN PORT FORWARDING

Protocol:TCP External start port: 3389 External end port: 3389 Internal start port: 3389 Internal end port: 3389 External source start port: blank External source end port: blank Mapping Name: FTG60B

 

Internal Host: 192.168.100.3 <-------this is my wan1 interface External Source IP address: xxx.xxx.xxx.xxx (shows by whatismyip)

MY FTG60B WAN1 INTERFACE

 

IP ADDRESS: 192.168.100.3 <----mapped ip SUBNET: 255.255.255.0 GATEWAY: 192.168.100.1

VIP Settings

 

Name: MYRDP External Interface: wan1 Type: Static NAT External IP Address/Range: 0.0.0.0 <-- like what you said Mapped IP Address/Range: 192.168.1.111

 

NAT is disable in my Policy

Try to do Port-forward in the VIP with just 3389 in both external and internal port.

MikePruett
Valued Contributor

Will the ISP not place the ISP modem in bridge mode so the Gate can house the WAN IP? It would simplify your deployment and remove a lot of the pain.

Mike Pruett Fortinet GURU | Fortinet Training Videos
Labels
Top Kudoed Authors