Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chiefexecutive
New Contributor

NAT issue

hi,

I think this will be easy for some of you to tell me where the setting is to solve my problem:

i have to install an anonymous relay receive connector on our exchange for several external IPs - now the problem is, that on the exchange the originating IP where the connect seems to come from is the lan IP of our fortigate, not the external IP of the guy who tries to connect to our exchange... and so the relay doesnt work.. where can change the setting that the real originating IP comes to our server and not the one the fortigate has?

thank you & regards

6 REPLIES 6
michael_lacey
New Contributor

I'd look on the firewall policy that allows it access through the firewall, there is an option to turn NAT on or off

chiefexecutive

the policy rule in which the VIP for the portforwarding is has NAT turned OFF

it doesnt matter if i turn it on or off, the issue is the same...

 

i tried your tipp at a customer of mine ant there it works like you told, but not on our local forti..

ede_pfau
Esteemed Contributor III

1- reboot your FGT

2- use

diag deb ena

diag deb flow filter port 25

diag deb cons ena

diag deb func ena

diag deb flow trace start 20

 

and post the results.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
ericli_FTNT

Hi OP,

 

Regarding your question, I think you could try to configure NAT IP pool to configure the IP you need to NAT.

Assuming you are working over FortiOS 5.6.x, please take a look at this doc.

http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/IP%2...

By default IP pool is disabled meanwhile the firewall policy would NAT any IP into the outbound interface network sector IP.

Keep updated. Thx!

Ashik_Sheik

Hi

 

Yes for Exchange services it is better to it will use the Exchange Public IP as sourse while going out.This can be achied in fortigate using IP pool under Policy and Objects .Kindly use following Cli commands 

 

config firewall ippool

edit EX_IP

set comments "For Exchange "

set type overload

set startip Your_Public_IP

set endip Your_Public_IP

set arp-reply enable

set arp-intf wan1

end

 

OR You can do this Conf Using GUI

 

Go to Policy & Objects > IP Pools.Select Create New.In the IP Pool Type field choose IPv4 PoolEnter a name in the Name field for the new serviceInclude any description you would like in the Comments fieldIn the Type field choose between:[/ol][ul]Overload[/ul]

Then Goto Exchange Outbound Policy and In the NAT section  Instead of Outgoing Interface Please select created Exchange IP Pool.

 

Hope above steps will help you 

 

Regds

 

Ashik

Ashu 

 

Ashu
gdifiore
New Contributor II

On your WAN to LAN policy that you created to allow the SMTP traffic inbound (the one with the VIP for your exchange server in it), do you have NAT enabled?  If so, you should turn it off.

Labels
Top Kudoed Authors