- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- External Interface using private IP to router
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 02-20-2007 02:23 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
External Interface using private IP to router
We have our internet router connected to the fortigate firewall via a private ip range. The router simply forwards all our public addresses to the firewall, and all it well except for one thing. The firewall itself cannot connect to anything on the internet, such as needed for Fortiguard web filtering and anti-spam.
Internet <--> router 172.20.1.1 <--> 172.20.1.2 Firewall - 10.1.1.2 <--> LAN
I had thought about this, and discovered a proxy setting, but alas that only works for the virus and IPS signature auto-update.
I have tried assigning a public address to the external port of the firewall, then added the 172.20.1.2 address as a secondary address. This will allow me to use the " execute ping-options source" to that public address, then ping works. I can' t figure out a way to " source" or NAT the connections for web filtering and anti-spam. I have also tried creating a virtual-IP for the firewalls external public address to it' s private address.
The router is a leased router from our ISP. I know it has the ability to NAT, but I have been reluctant to ask them to NAT our private 172 addresses, since I don' t have direct control over that device. That' s my option if I can' t figure out a way to do it at the firewall.
5 REPLIES 5
Not applicable
Created on 02-20-2007 06:57 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don' t NAT your private ip addresses! Then you will be double NAT' ing to the firewall. Bad Idea.
If anything they need to route your public ip' s to the fortigate then let the fortigate be the border router for your public ip' s.
Regardless, lets fix the immediate problem. I have some questions.
Is the firewall in NAT or Transparent mode?
What are your external ip' s?
Is this a brand new installation? Has this ever worked?
Do you have a default route of 0.0.0.0/0.0.0.0 -> 172.20.1.1? This is often forgotten that the fortigate' s don' t put in the default for you.
Let me know,
Nick
Not applicable
Created on 02-21-2007 07:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is running in NAT mode.
It works fine for everything except connections initiated from the firewall itself. The comptuers on the LAN can connect to the internet, and are NAT' ed to the public addresses in our range 208.191.50.0/23.
For example:
1) Workstation on the LAN connects to www.google.com, the source is nat' ed from 10.x.x.x to 208.191.x.x, and routed correctly.
2) If the firewall itself attempts to connect to www.google.com (such as a ping from the console). The source address would be 172.20.1.2, which can easiely make it to the next hop 172.20.1.1, but that router does what is proper and drops the packet, because the source is not a publicly routable address.
This is a common scenario for router-to-router connections to be on private addresses so as to not waste public ip-addresses. When I was asked about this, I agreed. It seemed a good idea to me that connections from the internet could never be made to the firewall itself. I just neglected to think about the firewall making connections out from it' s own address. With my previous FortiGate unit I didn' t do any anti-spam, anti-virus, or web filtering, so the firewall never needed to initiate connections to the internet, only NAT connections as they passed through.
So...The oversight is on my part, but I was hoping there could be a solution at the firewall. The proper alternative is for me to pull out a /30 subnet from my public addresses and use that for the router-to-firewall connection, or to simply not use the web filtering and anti-spam features. I don' t need the anti-spam anyway and not sure if the web filtering will be of much benifit either, I just wanted to test it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have the spare subnets, route them inward, and set up the router-Fortigate LAN with a public IP. That' s how we do it.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 02-21-2007 09:43 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh ok. I see. Your border router isn' t NAT' ing. That is the part I was missing. I agree with you, routing a /30 and using that for your public is the right answer. Or you could setup NAT on the border router just for the serial interface of the firewall.
The Spam filtering really isn' t that great but the web-filtering is awesome.
Nick
Not applicable
Created on 02-21-2007 12:13 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks for your input guys.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortinet F80 and Cisco RV340 137 Views
- How to perform special internet access... 247 Views
- Captive Portal redirection 195 Views
- Unable to route public IP into... 141 Views
- Fortigate Firewall BGP received routes not... 508 Views
Labels
-
FortiGate
7,187 -
FortiClient
1,418 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
458 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
116 -
IPsec
110 -
SSL-VPN
109 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
LDAP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
SSL SSH inspection
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
System settings
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1077 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.