I'm VERY new to Fortinet and am attempting to migrate from an ASA that's managed by a 3rd party to our own FG 201F. I've got most of it configured, but struggling with how to setup my DMZ. Current ASA has 3 DMZ's, each setup with their own public IP ranges on their own VLANs. The DMZ's are then assigned to 1 physical port on the ASA.
Now...I want to setup my DMZ and assign private IP's to the hosts and then map/NAT/virtual ip/whatever to the public IP's. My question is...how do I setup the interfaces so I have multiple public IP's? Do I create multiple DMZ interfaces? Do I assign multiple IP's to the WAN interface?
For example...current DMZA has public IP range of 10.10.0.0/29. ASA has an interface in that range and it's assigned to a VLAN. All hosts on that VLAN are also assigned public IPs in that range.
DMZB has public IP range of 10.20.0.0/29. ASA and hosts assigned to that range and VLAN.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Nothing would be different from ASA. You just need to configure VLAN-a with 10.10.0.x/29 and VLAN-b with 10.20.0.x/29 by specifying the parent "interface" as the physical interface. Then you need to set up proper set of policies from/to both internet side and LAN side to allow DMZ access to those individual VLANs.
Toshi
Hello @JP57,
I believe you want to NAT each DMZ to different public IP addresses? In that case, you can configure physical interfaces as DMZ interfaces with their own VLANs (private IPs). You can create 3 dynamic IP pools for 3 public IP addresses. Then you can create 3 firewall policies for each DMZ to WAN and enable NAT using dynamic IP pools created for each DMZ.
Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...
Regards,
Hello,
I am not sure whether I understand the topology. However you can configure multiple secondary IP addresses (i.e. WAN interface 1 primary + 2 secondary IP addresses). Please find the details by following the link below:
Nothing would be different from ASA. You just need to configure VLAN-a with 10.10.0.x/29 and VLAN-b with 10.20.0.x/29 by specifying the parent "interface" as the physical interface. Then you need to set up proper set of policies from/to both internet side and LAN side to allow DMZ access to those individual VLANs.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.