Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JP57
New Contributor II

DMZ with multiple public IP address ranges

I'm VERY new to Fortinet and am attempting to migrate from an ASA that's managed by a 3rd party to our own FG 201F.  I've got most of it configured, but struggling with how to setup my DMZ.  Current ASA has 3 DMZ's, each setup with their own public IP ranges on their own VLANs.  The DMZ's are then assigned to 1 physical port on the ASA.

 

Now...I want to setup my DMZ and assign private IP's to the hosts and then map/NAT/virtual ip/whatever to the public IP's.  My question is...how do I setup the interfaces so I have multiple public IP's?  Do I create multiple DMZ interfaces?  Do I assign multiple IP's to the WAN interface?

 

For example...current DMZA has public IP range of 10.10.0.0/29.  ASA has an interface in that range and it's assigned to a VLAN.  All hosts on that VLAN are also assigned public IPs in that range.

 

DMZB has public IP range of 10.20.0.0/29.  ASA and hosts assigned to that range and VLAN.

 

 

1 Solution
Toshi_Esumi
Esteemed Contributor III

Nothing would be different from ASA. You just need to configure VLAN-a with 10.10.0.x/29 and VLAN-b with 10.20.0.x/29 by specifying the parent "interface" as the physical interface. Then you need to set up proper set of policies from/to both internet side and LAN side to allow DMZ access to those individual VLANs.

 

Toshi

View solution in original post

3 REPLIES 3
hbac
Staff
Staff

Hello @JP57

 

I believe you want to NAT each DMZ to different public IP addresses? In that case, you can configure physical interfaces as DMZ interfaces with their own VLANs (private IPs). You can create 3 dynamic IP pools for 3 public IP addresses. Then you can create 3 firewall policies for each DMZ to WAN and enable NAT using dynamic IP pools created for each DMZ. 

 

Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...

 

Regards,

abarushka
Staff
Staff

Hello,

 

I am not sure whether I understand the topology. However you can configure multiple secondary IP addresses (i.e. WAN interface 1 primary + 2 secondary IP addresses). Please find the details by following the link below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-a-secondary-IP-on-a-FortiGate-interfac...

FortiGate
Toshi_Esumi
Esteemed Contributor III

Nothing would be different from ASA. You just need to configure VLAN-a with 10.10.0.x/29 and VLAN-b with 10.20.0.x/29 by specifying the parent "interface" as the physical interface. Then you need to set up proper set of policies from/to both internet side and LAN side to allow DMZ access to those individual VLANs.

 

Toshi

Labels
Top Kudoed Authors