Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- External Interface using private IP to router
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 02-20-2007 02:23 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
External Interface using private IP to router
We have our internet router connected to the fortigate firewall via a private ip range. The router simply forwards all our public addresses to the firewall, and all it well except for one thing. The firewall itself cannot connect to anything on the internet, such as needed for Fortiguard web filtering and anti-spam.
Internet <--> router 172.20.1.1 <--> 172.20.1.2 Firewall - 10.1.1.2 <--> LAN
I had thought about this, and discovered a proxy setting, but alas that only works for the virus and IPS signature auto-update.
I have tried assigning a public address to the external port of the firewall, then added the 172.20.1.2 address as a secondary address. This will allow me to use the " execute ping-options source" to that public address, then ping works. I can' t figure out a way to " source" or NAT the connections for web filtering and anti-spam. I have also tried creating a virtual-IP for the firewalls external public address to it' s private address.
The router is a leased router from our ISP. I know it has the ability to NAT, but I have been reluctant to ask them to NAT our private 172 addresses, since I don' t have direct control over that device. That' s my option if I can' t figure out a way to do it at the firewall.
5 REPLIES 5
Not applicable
Created on 02-20-2007 06:57 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don' t NAT your private ip addresses! Then you will be double NAT' ing to the firewall. Bad Idea.
If anything they need to route your public ip' s to the fortigate then let the fortigate be the border router for your public ip' s.
Regardless, lets fix the immediate problem. I have some questions.
Is the firewall in NAT or Transparent mode?
What are your external ip' s?
Is this a brand new installation? Has this ever worked?
Do you have a default route of 0.0.0.0/0.0.0.0 -> 172.20.1.1? This is often forgotten that the fortigate' s don' t put in the default for you.
Let me know,
Nick
Not applicable
Created on 02-21-2007 07:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is running in NAT mode.
It works fine for everything except connections initiated from the firewall itself. The comptuers on the LAN can connect to the internet, and are NAT' ed to the public addresses in our range 208.191.50.0/23.
For example:
1) Workstation on the LAN connects to www.google.com, the source is nat' ed from 10.x.x.x to 208.191.x.x, and routed correctly.
2) If the firewall itself attempts to connect to www.google.com (such as a ping from the console). The source address would be 172.20.1.2, which can easiely make it to the next hop 172.20.1.1, but that router does what is proper and drops the packet, because the source is not a publicly routable address.
This is a common scenario for router-to-router connections to be on private addresses so as to not waste public ip-addresses. When I was asked about this, I agreed. It seemed a good idea to me that connections from the internet could never be made to the firewall itself. I just neglected to think about the firewall making connections out from it' s own address. With my previous FortiGate unit I didn' t do any anti-spam, anti-virus, or web filtering, so the firewall never needed to initiate connections to the internet, only NAT connections as they passed through.
So...The oversight is on my part, but I was hoping there could be a solution at the firewall. The proper alternative is for me to pull out a /30 subnet from my public addresses and use that for the router-to-firewall connection, or to simply not use the web filtering and anti-spam features. I don' t need the anti-spam anyway and not sure if the web filtering will be of much benifit either, I just wanted to test it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have the spare subnets, route them inward, and set up the router-Fortigate LAN with a public IP. That' s how we do it.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 02-21-2007 09:43 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh ok. I see. Your border router isn' t NAT' ing. That is the part I was missing. I agree with you, routing a /30 and using that for your public is the right answer. Or you could setup NAT on the border router just for the serial interface of the firewall.
The Spam filtering really isn' t that great but the web-filtering is awesome.
Nick
Not applicable
Created on 02-21-2007 12:13 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks for your input guys.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,763 -
FortiClient
1,779 -
5.2
801 -
FortiManager
738 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
Fortiap
475 -
FortiClient EMS
437 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
48 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
36 -
FortiGate v5.4
35 -
SAML
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
Radius
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiGate-VM
21 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1740 | |
| 1108 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.