- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiAP
- FortiClient
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiExtender
- FortiEDR
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Configuring ISP2 for 1-to-1 nat web server onl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring ISP2 for 1-to-1 nat web server only
Hi,
I was wondering if its possible to set up a 1-to-1 NAT for a webserver purpose only? Currently the office firewall is configured to route all traffic going to the internet on ISP1(port1). Then decided to add a secondary ISP connection just for the web server access only. Is there a need to create static routes and policy routes for this? please help.
Thank you
Labels:
- Labels:
-
5.0
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would probably add one more default static route thru the second ISP connection, which would have the same priority, but a larger distance than a primary default route. That way both default routes will be in the routing table, but only the first one will be normally used. Then, create a VIP (virtual IP) to achieve a 1-to-1 NAT for you Web server. If you need your Web server to initiate connections to the Internet for any reason, than you'll probably also need to add a policy route for it to use the second ISP as a default route.
This is just my idea of a solution, maybe someone else will have different ideas.
Cheers!
Slavko
NSE 7
All oppinions/statements written here are my own.
NSE 7
All oppinions/statements written here are my own.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Slavko,
Thank you for the reply. I actually tried your suggestion. The problem is the External IP of ISP2 is no longer reachable since the distance is now higher that ISP1 to which it is normal since the configuration now is set to active-passive. Since ISP1 is live all returning traffic will redirect to ISP1 so ping results would end up RTO. Now If i put a policy route. behavior of traffic changes like for example a vlan will not be able to reach the DMZ zone and it would think that DMZ is reachable via ISP2 to which when it return will not be able to ping the servers inside DMZ zone. FYI: DMZ servers are different to the servers im trying to port map. Any suggestions on this?
Thanks
seth
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a Fortigate 90D, an external physical link from a Tomcat Server is connected but unable to access when pass through the firewall. It works fine with the older Juniper. Please help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Sure, you would need two policy routes. The first one is to actually STOP policy routing if the destination address is one of your local addresses (for example DMZ). This way you'll prevent the FGT to send the replies thru the ISP2 if they are intended for your local network. The second one is to route everything else thru the ISP2, just like it does now. But, the Policy Route 1 must be above Policy Route 2, because they are being considered in sequential order, just like the firewall policies. Something like this:
Policy Route 1:
Source: Web Server;
Destination: Your Local IP range(s);
Action: Stop Policy Routing.
Policy Route 2:
Source: Web Server
Destination: 0.0.0.0/0
Action: Route to the Internet, thru the ISP2 port.
Let me know how it goes.
Cheers!
Slavko
NSE 7
All oppinions/statements written here are my own.
NSE 7
All oppinions/statements written here are my own.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I did place 2 policies. The only configuration lacking was the priority. Increasing the priority of the secondary ISP made it seamless for the traffic to flow as is and as expected, only traffic intended to pass through ISP is working. It's an active-active ISP configuration though. Thank you for the discussion, I really appreciate the help.
Cheers!
Seth
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FC EMS blocking a URL that... 53 Views
- Executable file posting rule 37 Views
- Configuring various Syslog Server problem 106 Views
- MC-LAG between Spine and Leafs 47 Views
- Changing AD Server Integrated with Fortigate... 194 Views
Labels
-
fortigate
7,013 -
FortiClient
1,379 -
5.2
801 -
5.4
639 -
FortiManager
608 -
FortiAnalyzer
444 -
6.0
416 -
FortiAP
369 -
FortiSwitch
367 -
5.6
362 -
FortiClient EMS
285 -
FortiMail
272 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
171 -
6.4
128 -
FortiNAC
123 -
FortiGuard
112 -
IPsec
103 -
FortiGateCloud
93 -
SSL-VPN
93 -
FortiSIEM
92 -
FortiCloud Products
87 -
FortiToken
76 -
Customer Service
71 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
SD-WAN
43 -
Fortivoice
43 -
FortiEDR
42 -
FortiDNS
37 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
FortiAuthenticator
31 -
Firewall policy
31 -
VLAN
28 -
High Availability
28 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
DNS
21 -
FortiConverter
21 -
BGP
19 -
FortiGate v5.2
19 -
SAML
18 -
FortiPortal
18 -
Certificate
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
16 -
FortiMonitor
14 -
Authentication
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
Fortigate Cloud
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
RADIUS
11 -
NAT
11 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
Application control
10 -
Web profile
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
Proxy policy
5 -
FortiAP profile
5 -
Automation
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
Web rating
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
FortiDB
3 -
Intrusion prevention
3 -
Protocol option
2 -
FortiInsight
2 -
NAC policy
2 -
System settings
2 -
Users
2 -
FortiAI
2 -
VoIP profile
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
4.0MR1
1 -
TACACS
1 -
Subscription Renewal Policy
1 -
Replacement messages
1 -
FortiCWP
1 -
FortiNDR
1 -
Schedule
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
DLP sensor
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1036 | |
| 861 | |
| 507 | |
| 440 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.