Hi,
I was wondering if its possible to set up a 1-to-1 NAT for a webserver purpose only? Currently the office firewall is configured to route all traffic going to the internet on ISP1(port1). Then decided to add a secondary ISP connection just for the web server access only. Is there a need to create static routes and policy routes for this? please help.
Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would probably add one more default static route thru the second ISP connection, which would have the same priority, but a larger distance than a primary default route. That way both default routes will be in the routing table, but only the first one will be normally used. Then, create a VIP (virtual IP) to achieve a 1-to-1 NAT for you Web server. If you need your Web server to initiate connections to the Internet for any reason, than you'll probably also need to add a policy route for it to use the second ISP as a default route.
This is just my idea of a solution, maybe someone else will have different ideas.
Cheers!
Slavko
NSE 7
All oppinions/statements written here are my own.
HI Slavko,
Thank you for the reply. I actually tried your suggestion. The problem is the External IP of ISP2 is no longer reachable since the distance is now higher that ISP1 to which it is normal since the configuration now is set to active-passive. Since ISP1 is live all returning traffic will redirect to ISP1 so ping results would end up RTO. Now If i put a policy route. behavior of traffic changes like for example a vlan will not be able to reach the DMZ zone and it would think that DMZ is reachable via ISP2 to which when it return will not be able to ping the servers inside DMZ zone. FYI: DMZ servers are different to the servers im trying to port map. Any suggestions on this?
Thanks
seth
We have a Fortigate 90D, an external physical link from a Tomcat Server is connected but unable to access when pass through the firewall. It works fine with the older Juniper. Please help.
Hello,
Sure, you would need two policy routes. The first one is to actually STOP policy routing if the destination address is one of your local addresses (for example DMZ). This way you'll prevent the FGT to send the replies thru the ISP2 if they are intended for your local network. The second one is to route everything else thru the ISP2, just like it does now. But, the Policy Route 1 must be above Policy Route 2, because they are being considered in sequential order, just like the firewall policies. Something like this:
Source: Web Server;
Destination: Your Local IP range(s);
Action: Stop Policy Routing.
Source: Web Server
Destination: 0.0.0.0/0
Action: Route to the Internet, thru the ISP2 port.
Let me know how it goes.
Cheers!
Slavko
NSE 7
All oppinions/statements written here are my own.
Hi,
I did place 2 policies. The only configuration lacking was the priority. Increasing the priority of the secondary ISP made it seamless for the traffic to flow as is and as expected, only traffic intended to pass through ISP is working. It's an active-active ISP configuration though. Thank you for the discussion, I really appreciate the help.
Cheers!
Seth
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.