Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jasusu
New Contributor

Created on ‎07-30-2024 12:58 PM Edited on ‎07-31-2024 02:57 AM

Help with Fortigate DNAT Configuration

Hi everyone,

I need some help with setting up DNAT on my Fortigate. I want to create a DNAT rule for a specific IP address, let’s say 172.17.200.200. My goal is to map any requests coming to port 8080 to port 3389 on the same IP address. How to can be mapped in the same ip address Can anyone guide me on how to set this up https://vlc.onl/ ?

Labels:
635
0 Kudos
4 REPLIES 4
Elmir
New Contributor III

Created on ‎07-31-2024 01:43 AM Edited on ‎07-31-2024 01:44 AM

Hi.

I guess config will look like below:

------------

config firewall vip
  edit "vip_DNAT-8080-3389"
    set extip 172.17.200.200
    set mappedip "172.17.200.200"
    set extintf "Interface_v999" ※Your external interface
    set portforward enable
    set extport 8080
    set mappedport 3389
  next
end

------------

615
xshkurti
Staff
Staff

Created on ‎07-31-2024 08:06 AM

@jasusu 
Please note that in FortiGate you can not create NAT using the same external and mapped IP.

VIP.png

Even from CLI you will get the same warning:

FGT # config firewall vip
FGT (vip) # edit 1
new entry '1' added

FGT (1) # set extip 172.17.200.200

FGT (1) # set mappedip 172.17.200.200

FGT (1) # set portforward en

FGT (1) # set extport 8080

FGT (1) # set mappedport 3389

FGT (1) # set extintf port1

FGT (1) # next
Static NAT's extip should be different from mappedip.
object check operator error, -8, discard the setting
Command fail. Return code 1

FGT (vip) #





578
xshkurti
Staff
Staff

Created on ‎07-31-2024 08:12 AM

In this case what you can do is as per below:
1. Enable Load Balancing

config system settings
set gui-load-balance enable
end

2. Configure virtual server

config firewall vip
edit "TEST"
set type server-load-balance
set server-type tcp
set extip 172.17.200.200
set extintf "any"
set extport 8080
config realservers
edit 1
set ip 172.17.200.200
set port 3389
next
end
next
end

 

3. Configure Firewall policy to match this traffic

config firewall policy
edit 1
set name "VIP-Access"
set srcintf "port1"   ---- Incoming port
set dstintf "port2"   ---- Outgoing port
set action accept
set srcaddr "all"
set dstaddr "TEST"   ---- The name of VIP you created above
set schedule "always"
set service "ALL"
next
end

 

Please note that incoming port and outgoing port might be the same, depending on your network topology.

Hope this helps.

572
hjhajj
Staff
Staff

Created on ‎07-31-2024 09:01 AM

@jasusu 

For DNAT , You can refer the following document 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-Virtual-IPs-to-configure-port-forwar...

Since, you want to map the traffic to the same IP address, this is not possible with static Virtual IP as it will give the error as shown in the attached screenshot

 
 

 



Preview file
20 KB
564
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.