Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FTGmaster
New Contributor

Created on ‎05-27-2013 03:08 AM

How to set Public IP behind on a Internal Port

Hi Ive a problem: I need to install a FGT 80C behind another FGT 110C. I need to set up the 80C wan port as on of my public IP. Schema: Internet with my range of public ip/29 >> 110c WAN 1 PPPoE with one of my IP available I need one of my Public IP behind my 110C, to set the 80C Wan 1 Port (connected to one of my 110C Internal Port available) with the public IP. I know that I can do the 1-1 Nat with Virtual IP, but in this case I' d Like to use the public IP directly. thank You

FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA

FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA
3840
0 Kudos
5 REPLIES 5
ede_pfau
SuperUser
SuperUser

Created on ‎05-27-2013 06:29 AM

IMHO there are 2 solutions to this: 1. use a switch in front of the 110C (gateway FW) and connect both firewalls to this switch 2. use a VIP without port mapping to transparently hand over the traffic I don' t see any disadvantages in using a VIP (a.k.a. 1:1 NAT) if you don' t port-forward. You have full control over the 80C WAN traffic but the 80C won' t notice any difference to a ' real' WAN connection.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1601
0 Kudos
FTGmaster
New Contributor

Created on ‎05-27-2013 06:45 AM

But I can' t setup the IP port: PPPoE to internet MYpubIP.110 as GW << FGT 110C [ MYpubIP.112 >> eth2/port2] >> eth2 >> wan80C >> FGT 80C [Wan Port = MYpubIP.112]

FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA

FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA
1601
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎05-27-2013 06:58 AM

??? Of course the VIP will only work if you get ' fixed' IP addresses via PPPoE. Can you tell me why this will not work? Ah, OK, I see...same subnet on 2 ports of the 110C! So, take solution no. 1 - a WAN switch in front of both firewalls.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1601
0 Kudos
FTGmaster
New Contributor

Created on ‎05-27-2013 02:36 PM

A switch before the wan port? and how can I set the IP? ISP ROUTER >> switch << FTG I think a solution could be use the group/zone.

FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA

FCNSA - FCNSP Certified FortiGate 20D - 30B - 40C - 50B - 60B - 60C - 80C - 100D - 110C FortiAnalyzer 100C FortiAP 220B HA
1601
0 Kudos
AtiT
Valued Contributor
In response to FTGmaster

Created on ‎05-30-2013 08:36 AM

I' m just wondering if you need to have FTG80C connected after 110C. If not, there is another question whether there is a possibility to use the FTG110C' s switch (port1 - port8 I think) for WAN connection - assign your public IP with /29 mask to port1 of the FTG110C and use his port2 for the FTG80C wan connection. Will it work? The switchports are under one subnet...

AtiT

AtiT
1602
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.