Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lmsaeb
New Contributor II

Confused - IPV4 Rules and Allowing Traffic

Hi All, 

 

I am new to the Fortigate/FortiOS and having some issues wrapping my head around this scenario:

 

I have an external source - say x.x.x.x and I need to allow traffic from port 123 to an y.y.y.y. I add the IPv4 rule and it does nothing. Apparently, the only way this will work is if I add a Virtual IP mapping from x.x.x.x to y.y.y.y on port 636. The problem i that if I do that, any other source sending traffic on port 123 gets routed to y.y.y.y.

 

I have experience using a Sonicwall and it did not work like this. I only needed to add NAT when I really needed to map a public IP address to an internal one - i.e., public IP to a webserver on my DMZ. Otherwise, I just added a policy to allow the traffic into my network.

 

This does not make sense to me that I would to setup a NAT rule for this. 

 

Is this indeed the way it works?

5 REPLIES 5
James_G
Contributor III

Unless you have a publicly routeable IPv4 subnet range internally (unlikely - but I have seen in the past on very legacy networks) you are going to need some sort of NAT.

 

Can can limit the NAT to a specific port, and then also have a policy that only allows traffic from specific sources, that references said NAT.

ede_pfau
Esteemed Contributor III

I'm a bit confused about port 123 and then again port 636...but that doesn't matter.

Policies allow traffic (session setup to be precise) from one interface to another, or, in fact, across the same interface if there are 2 subnets on it (e.g. via secondary address). It's not quite clear what your situation is.

x.x.x.x is an external address - so this is a source address. y.y.y.y on the other hand is a destination. If both are on directly connected subnets (one FGT port in each subnet) then routing is automatically set up, and you will only need a policy to allow traffic.

If that doesn't work please describe what you see and what you've tried. Bytes on policy counter? Sniffing? diag debug flow? Whatever.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Toshi_Esumi
Esteemed Contributor III

There are three IPs(ranges) you need to be clear when you configure VIP. source, external-ip and destination.

The source is the external on the internet accessing the external-ip from. The external-ip is regularly the outside interface IP or any reachable IP from the internet where you applies the VIP. Then the destination is the internal IP you want to direct some particular accesses from outside to.

 

Is x.x.x.x the source on the internet, and y.y.y.y is the destination inside? Then what is the external-ip?

emnoc
Esteemed Contributor III

The FGT would like the  Sonicwall, the NAT is taken care of in the VIP. When you by the to address ( external to internal map) that is the NAT. In a VIP it would be DNAT.

 

You still need the rule to allow src x.x.x.x to y.y.y.y and the service.

 

Ken 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lmsaeb
New Contributor II

The external IP is the IP of the router. 

Labels
Top Kudoed Authors