Good afternoon!
I am a networking rookie currently working with a Fortigate 80F, and am trying to understand how NAT works. I have two computers connected to the router with static IP addresses of 192.168.1.1 (PC1) and 192.168.1.101 (PC2). I am looking to set something basic up in which I can ping a virtual IP address (let's say 192.168.50.1) on PC1, and this will translate to PC2's IP address and get a reply back from PC2. I set up a Virtual IP to do this on PC1, and still have all interfaces on the hardware switch. I didn't get any response from the ping. I also added an IPv4 policy to allow traffic from the internal switch through that pings the VIP, but this also didn't work. Am I missing something here? I'm confused as to why this isn't working. I would really appreciate any insights anyone can provide!
Solved! Go to Solution.
You should try two PCs on two different interfaces. I don't know if an 80F has hard-switch like "internal" to combine all LAN ports. But if so, you should break them into individual ports like internal1 and internal2. Then assign different subnets to each interface and connect a PC to one port.
So that it's easy to understand what is external interface what is internal in terms of VIP, which is described at cookbooks and other documents.
You should try two PCs on two different interfaces. I don't know if an 80F has hard-switch like "internal" to combine all LAN ports. But if so, you should break them into individual ports like internal1 and internal2. Then assign different subnets to each interface and connect a PC to one port.
So that it's easy to understand what is external interface what is internal in terms of VIP, which is described at cookbooks and other documents.
Thanks for your helpful reply! I am still having some trouble unfortunately. I did what you said and removed interface3 and interface4 from the hardware switch and gave them their own subnets (192.168.2.0/24 and 192.168.3.0/24 respectively). I was using the following post to try and do my NATing:
https://forum.fortinet.com/tm.aspx?m=136309
I followed that post exactly, just using internal on both sides instead of having a side that faced the internet, and am still having no luck. Would the NATing still look like the above post when you have two private IP address on both the internal and external sides? Or does this require something different?
My guess is you didn't set a set of policies right. CLI is easier to examine. Get in CLI via console, ssh, or CLI on GUI. Then,
config firewall policy
show | grep -f interface3 (I'm not sure this is the correct interface name. 60F has internal1, internal2, ...)
Then show us the pair of policies you created in GUI.
Here is the policy I created for the router. The idea here is to use NAT to communicate to another PC using a simple routed address. I realize this structure may not make sense, as the computers could communicate already given their IP addresses, but I wanted to use this as a learning exercise. If it helps, here is the diagram of what I am trying to do:
I really appreciate any help you can give me! Thank you so much in advance
First, you should be able to copy&past text.
I thought you changed the subnets with 192.168.2 and .3. The diagram is showing the old IPs.
The policies look right. So next is:
show firewall vip
show firewall ippool
I'm assuming you have only one vip and ippool.
Hi Toshi. Ah I think I do see at least one issue currently. I didn't change the IPs on the computers, just on the internal3 and internal4 interfaces themselves. Is this an issue? Do I need to have the PC plugged into internal3 to have a 2.x address and the PC plugged into internal4 to have a 3.x address?
Here's the output of the policies:
config firewall vip
edit "RSM1"
set uuid 2719d366-3cdd-51ec-ba44-29057e035375
set extip 192.168.50.1
set extintf "any"
set mappedip "192.168.1.101"
next
end
config firewall ippool
edit "R1IPpool"
set type one-to-one
set startip 192.168.1.1
set endip 192.168.1.1
next
end
alexm3 wrote:Here's a diagram to ensure you know what I'm trying to do
In your diagram, PC 2 cannot be on a different interface if the subnet mask is a class C (24 bit).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.