Hi,
I'm new to fortinet and need some assistance getting the NAT to work.
Got a modem/router in front of the fortigate that is not bridged to the fortinet, but I was able to "expose" all ports to the fortinet. Configured 2 nat rules (vip), one for ssh and one for RDP
I guess I should start by sending you the configfile ? Would somebody be so kind to share what you guys need to help me out ?
thank you
hi,
and welcome to the forums.
You seem to have forgotten to state what your problem is.
In one location I run a FGT as "exposed host" behind a NAT DSL router - no problems at all.
If you cant the fortinet VIP's I created as 2nd nat , then yes I'm using double NAT
My problem is simple, I can't reach my hosts through portforwarding (exposed host) and the fortinet VIPS
Internet
I
VDSL router/modem 192.168.178.254 (exposed all ports in this modem, to the WAN 1 interface of fortinet)
I
WAN 1 192.168.178.253
I
created a VIP for testing purposes :
network interface WAN1
Type STATIC NAT (can't change this)
External IP : 192.168.178.253 (WAN1 ip, zone WAN)
Internal IP : 192.168.1.22 (zone LAN)
port 22 for all (external and map to = same)
created policy from zone WAN to zone LAN for SSH port 22
problem is that I get a timeout and i need some help troubleshooting this.
thank you
"created policy from zone WAN to zone LAN for SSH port 22"
Did you select the VIP as the destination? If you aren't familiar with FortiGate, it might make sense to create a regular firewall rule to allow the traffic. But, the destination needs to be the VIP itself.
Other than that, try with 0.0.0.0 as the external IP in the VIP(this requires you to select an interface other than 'any')
Hi bennthos
When you say that you are no using a bridge does that mean that you are using double NAT?
- Retro
You either bridge the modem/router, or you run Fortinet in transparent mode.
Simple really.
This looks too complicated...as I posted I run the same setup as you - FritzBox to the internet, LAN1 to WAN1 on FGT, an intermediate network like your 192.168.1.x, "exposed host" on FB. Works very well.
Some hints:
Check carefully that you have put the VIP as the destination address into the policy 'wan1' -> 'lan'.
Do not specify a port translation even if it's port 22 to port 22. If you do, ping won't work (as it doesn't use ports) and you could have the impression that the VIP isn't working. Narrow down your security in the policy.
Follow @brycemd's advice and use the wildcard '0.0.0.0' for the external address in the VIP. It will match whichever public IP the FB will have at any time.
Let the FB do the DynDNS provisioning - it monitors the WAN line and will notify the DDNS server reliably.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.