Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎07-13-2006 03:12 AM

Virtual IP on different subnet

I have a 300A [Fortigate-300A 2.80,build489,051027] with the following setup: NAT/Route mode. Internal network on port5: a.a.a.a External (Internet) network on port2: b.b.b.b On port6 I have a connection to a switch which is connected to hosts on 2 subnets, c.c.c.c and d.d.d.d. I have set up port6 to have its address on subnet C. I have added virtual IPs and corresponding firewall rules for hosts in subnet A such that they are accessible from subnet C. I have added a virtual IP (D1) and firewall rule for a host (A1) in subnet A to attempt to make it visable on subnet D. I have no service restrictions. Attempting to ping D1 from a host on subnet D does not work. Using tcpdump I can see that the firewall is correctly answering ARP requests for the new address (D1) but no trace of the traffic can be seen on the other side of the firewall (subnet A). If I switch port6 to have its main address in subnet D then the D1 VIP works but all my VIPs in subnet C stop working. What am I doing wrong - or is this not a supported configuration? Thanks.
2590
0 Kudos
3 REPLIES 3
Not applicable

Created on ‎07-14-2006 06:11 PM

[Deleted by Admins]
1547
0 Kudos
Not applicable

Created on ‎07-15-2006 12:31 AM

That' s not quite what I was saying. The VIPs are the other way around. #1 Created a VIP (static NAT) form 192.168.0.0/24 to 10.0.0.0/24. Works as expected. #2 Created a VIP (static NAT) from 172.16.0.0/24 to 10.0.0.0/24. I can see arp responses on the 172 network from the firewall. Traffic is not passing through though. I have since solved this problem, since it was late last night I' m struggling to remember exactly how though! Adding a static route: Dest: 172.16.0.0/24, GW: 192.168.0.1 seemed to help and making sure things were being NATed in the appropriate rules such that all hosts were happy with routes to send replies back as well.
1547
0 Kudos
Not applicable

Created on ‎07-15-2006 12:36 AM

although this is wokring now for hosts with VIPs on one or the other networks on port6 it seems impossible to set up a host that has two VIPs - one on each subnet. Although incoming requests are received the response always has its source address NATed to the address on the 192.168.0.0 network. Is there any way to set up rules to allow you to choose the VIP that is used for this translation?
1547
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.