Hello Everyone,
I recently installed FG100E with Firmware V6.0.3build0200.
We are hosting Web Server(192.168.1.20) in Internal Network.
When we access the Web Server by URL(http://www.mycompany.com) from the internal network stations, I want to set up FG100E to map the public IP (64.60.158.250) returned by DNS lookup to private Web Server IP(192.168.1.20).
What is the correct way of doing in FG100E?
Can we use Virtual IP without policy?
Or Virtual IP with self directing policy(Internal => Internal) will work ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If I good understand you don't want to use a private IP address even for the local users, correct?
You can check this feature:
https://cookbook.fortinet.com/configure-hair-pinning-fortigate/
Hi hubertzw,
Thank you for replying to my question.
We are running local network behind firewall with local private IP's. All outbound traffic source addresses are SNATed to the external interface IP of the firewall.
My question is how FG100E handles the traffic from internal network to the external interface network, that is, the source address of the packet is the internal address like 192.168.1.x and the destination address is one of the public addresses from the subnet of the external interface like 64.60.158.x/29 including the one assigned to the external interface itself.
Can it smartly find out the destination locally and DNAT implicitly or we need to do DNAT ourselves ?
Hi, for the outbound traffic FG keeps session about specific connection including source IP, SNAT usually with unique port, destination, etc. For the returning traffic FG tries to find the existing session and for that one you don't need DNAT. But when you initiate connection from outside (incoming traffic) you need a policy with destination IP of the VIP object (policy NAT) or real (inside) host IP and then mapping in the DNAT table (only with the central NAT settings).
Split-DNS is what you want? So when www.yourdomain.com is mapped to the rfc1918 address on a nslookup from the inside hosts
Ken Felix
PCNSE
NSE
StrongSwan
Hi emnoc,
Is that what you call split-DNS?
From internal network, if the packet destination address is one of the public ip's assigned to external interface subnet, I need that destination address is translated into local ip of local hosted server.
Let's say we have local hosted servers with private ip:
Web Server : 192.168.1.20
DB Server : 192.168.1.10
WAN Interface has public ip 75.36.85.249 from WAN subnet 75.36.85.248/29
I defined two VIP's:
75.36.85.250 => 192.168.1.10
75.36.85.251 => 192.168.1.20
So from outside traffic into our local servers are correctly managed by Security policy with VIP.
Now from inside local station, if the client enter "http://www.mycompany.com" on Web browser, it will get 75.36.85.251 from DNS server. I want to translate that 75.36.85.251 into 192.168.1.20. Will it be done automatically if I have VIP defined? Or do I need to do split-DNS? If I need to do split-DNS, can you tell me how to?
Maybe look into dnstranslation.
e.g.
config firewall dnstranslation edit 1 set src 75.36.85.250 set dst 192.168.1.10 set netmask 255.255.255.255 next edit 2 set src 75.36.85.251 set dst 192.168.1.20 set netmask 255.255.255.255 next end
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Either you need to have local DNS entries to resolve the internal IPs, or create a loopback rule.
Source interface LAN, destination interface LAN, and destination object as the VIPs you create.
VIPs are essentially routes, they are active regardless if they are applied to any policies. So you need to allow the traffic to pass.
Thank you for all supports you provided.
I think DNS Translation function will work for me.
It should be under Security Profiles=>DNS Filter=>DNS Translation, but I could not find it on FG100E firmware v6.0.3build0200. I could not enable it on GUI with Feature Visibility either.
Is it available with the inspection mode "proxy" only? If it is, can we set the inspection mode to "proxy" only for "DNS Filter" profile? If that function can be set only through CLI, can you provide me with the scripts?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.