- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT from one computer to another
Good afternoon!
I am a networking rookie currently working with a Fortigate 80F, and am trying to understand how NAT works. I have two computers connected to the router with static IP addresses of 192.168.1.1 (PC1) and 192.168.1.101 (PC2). I am looking to set something basic up in which I can ping a virtual IP address (let's say 192.168.50.1) on PC1, and this will translate to PC2's IP address and get a reply back from PC2. I set up a Virtual IP to do this on PC1, and still have all interfaces on the hardware switch. I didn't get any response from the ping. I also added an IPv4 policy to allow traffic from the internal switch through that pings the VIP, but this also didn't work. Am I missing something here? I'm confused as to why this isn't working. I would really appreciate any insights anyone can provide!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should try two PCs on two different interfaces. I don't know if an 80F has hard-switch like "internal" to combine all LAN ports. But if so, you should break them into individual ports like internal1 and internal2. Then assign different subnets to each interface and connect a PC to one port.
So that it's easy to understand what is external interface what is internal in terms of VIP, which is described at cookbooks and other documents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should try two PCs on two different interfaces. I don't know if an 80F has hard-switch like "internal" to combine all LAN ports. But if so, you should break them into individual ports like internal1 and internal2. Then assign different subnets to each interface and connect a PC to one port.
So that it's easy to understand what is external interface what is internal in terms of VIP, which is described at cookbooks and other documents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your helpful reply! I am still having some trouble unfortunately. I did what you said and removed interface3 and interface4 from the hardware switch and gave them their own subnets (192.168.2.0/24 and 192.168.3.0/24 respectively). I was using the following post to try and do my NATing:
https://forum.fortinet.com/tm.aspx?m=136309
I followed that post exactly, just using internal on both sides instead of having a side that faced the internet, and am still having no luck. Would the NATing still look like the above post when you have two private IP address on both the internal and external sides? Or does this require something different?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My guess is you didn't set a set of policies right. CLI is easier to examine. Get in CLI via console, ssh, or CLI on GUI. Then,
config firewall policy
show | grep -f interface3 (I'm not sure this is the correct interface name. 60F has internal1, internal2, ...)
Then show us the pair of policies you created in GUI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the policy I created for the router. The idea here is to use NAT to communicate to another PC using a simple routed address. I realize this structure may not make sense, as the computers could communicate already given their IP addresses, but I wanted to use this as a learning exercise. If it helps, here is the diagram of what I am trying to do:
I really appreciate any help you can give me! Thank you so much in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I realize the images may not have shown up on the previous post. Here's the firewall policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you should be able to copy&past text.
I thought you changed the subnets with 192.168.2 and .3. The diagram is showing the old IPs.
The policies look right. So next is:
show firewall vip
show firewall ippool
I'm assuming you have only one vip and ippool.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi. Ah I think I do see at least one issue currently. I didn't change the IPs on the computers, just on the internal3 and internal4 interfaces themselves. Is this an issue? Do I need to have the PC plugged into internal3 to have a 2.x address and the PC plugged into internal4 to have a 3.x address?
Here's the output of the policies:
config firewall vip
edit "RSM1"
set uuid 2719d366-3cdd-51ec-ba44-29057e035375
set extip 192.168.50.1
set extintf "any"
set mappedip "192.168.1.101"
next
end
config firewall ippool
edit "R1IPpool"
set type one-to-one
set startip 192.168.1.1
set endip 192.168.1.1
next
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alexm3 wrote:Here's a diagram to ensure you know what I'm trying to do
In your diagram, PC 2 cannot be on a different interface if the subnet mask is a class C (24 bit).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com