Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
junglecom
New Contributor

Created on ‎04-01-2013 07:04 PM

Help with 1-1 Static NAT

Hi All, I want create a one to one static NAT for 2 servers through a fortigate-VM firewall. Server 1 VIP: (192.168.2.2) -> Server 1 Private IP: (10.0.3.2) Server 2 VIP: (192.168.2.3) -> Server 2 Private IP: (10.0.3.3) I cant seem to figure this out without checking the NAT option in a incoming traffic policy. Tried to follow the Fortigate documentation, but to put it nicely, it is less comprehensible for sure. Thank you!
7659
0 Kudos
12 REPLIES 12
rwpatterson
Valued Contributor III

Created on ‎04-02-2013 05:41 AM

What you wrote looks complete to me. Just make sure you use the Virtual IP definition as the target in the policy, you should be done.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
4707
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-02-2013 06:35 AM

I cant seem to figure this out without checking the NAT option in a incoming traffic policy.
You don' t need to check/enabled the NAT option when using VIPs for DNAT ( inbound )

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4707
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-02-2013 09:37 AM

This is a direct crosspost from http://support.fortinet.com/forum/tm.asp?m=95662 I think we should discuss the matter in the original thread. OP has not answered my question about routing yet.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4707
0 Kudos
junglecom
New Contributor

Created on ‎04-02-2013 06:09 PM

Yeah, originally it was intended as a log question but quickly turned into configuration question. I appologize
4707
0 Kudos
junglecom
New Contributor

Created on ‎04-03-2013 02:21 AM

Only way I can access the server from a public IP address is to check the NAT box on the policy. If I uncheck it I can no longer access the server (ssh or http). what could I be doing wrong here? Please see my original thread for all the details http://support.fortinet.com/forum/tm.asp?m=95662
4707
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-03-2013 08:43 AM

Your answer is in your route-table and here in the other thread. - create one default route to this port Remove that 2nd route, remove your check NAT enable block and you should be golden.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4706
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-03-2013 09:48 PM

Will you have 2 posts going on, you made changes from the original start of this thread. And you didn' t heed our earlier suggestion & guidance. If you have the vip setup correctly, you don' t need nat enabled A photo says a thousand words; So what is it. port 1 or port 2?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Vt57346.jpg
Preview file
24 KB
4706
0 Kudos
junglecom
New Contributor

Created on ‎04-03-2013 10:03 PM

Sorry I started my config over removing all unnecessary IPs, since I still am unable to get this working. Below is all my settings simplified (reposted). Anyone see what I am missing here? Thank you very much for your help! (VIP Updated)
Qo38666.jpg
Preview file
160 KB
4706
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-04-2013 08:42 PM

diag debug flow is your friend, try it and see what it tells you :)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4706
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.