- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- NAT rule issue with my Fortinet 60C
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT rule issue with my Fortinet 60C
Hi All,
I configured a Fortigate 60C. This one connected to Broadband Modem to get internet connection thru WAN1 port. From internet I could accessed to Firewall Web-Console thru Wan1 interface with using NAT rule in modem but couldn' t get in a PC inside LAN network. Had setup Virtual IP and Policy as followed a lot internet searching and advising.
Any idea to help me out with this issue? Thanks a lot.
Note:
- Policy already allowed any from WAN to Internet with ALL Accept.
- Virtual IP rule has pointed to Destination IP LAN.
- Standing at Modem can' t ping to PC inside LAN (I don' t know how to setup ping policy can go thru). Thanks.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
If your VIP is port forwarding you will not be able to ping the internal server. Ping is an application of the ICMP protocol which doesn' t use ports. You will probably be forwarding TCP on port 80 or 443 which doesn' t cover ping.
The only way to have ping go through a VIP is to make the VIP non-portforwarding. This will consume the public address completely, though.
With a decent tool you could " tcp ping" your server - there are tools around which try to establish a TCP connection and report the response.
BTW, best practise would put the ' exposed' server on a Fortigate port of it' s own, and not have external traffic traverse the whole LAN via the LAN switch. The 60C should have some spare ports for this...
In your setup the default route on the FGT should point to the modem (.11.1).
The WAN port of the FGT will not have a public IP which will make receiving the FortiGuard updates a bit more difficult. If possible, put the modem into ' bridge mode' and put all credentials onto the FGT. For instance, I do this for PPPoE ADSL modems. In this case, the FGT will be truly the gateway and have a public WAN IP.
Anyway, does your setup work except for the ping?
If you still have questions, please state the FortiOS version you are using.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede_pfau,
Thanks for welcoming me and your reply.
- My FGT 60C using firmware v5.0 built 0147 (GA patch 1).
- Yes, in diagram, default route exactly pointed to 11.1, it worked well without any problems even fetching Guard updates...Your idea to change ADSL to bridge mode is what I thought also..but would be better to remain the things for some reasons (on-line configure/not enough man-power there...).
- Using " exposed" port as your mentioned that' s meaning we will hook the server into DMZ port ? I think the one will be the last consider with the reason as above listed.
- in VIP I had allowed ALL, I though with using that option, ICMP protocol to allow ping command. Yes, ICMP does not using port, thank you.
>> Do you have any experiences on how to allow user from Internet can go thru the Server inside LAN without changing ADSL/default gateway/DMZ port? looks like 02 times of NAT - 1 from Internet to WAN segment and 1 from WAN to LAN segment. Have tried many times with VIP/Policy/NAT but still not able to get traffic as wanted.
Regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t see any reason why double NAT would prevent traffic if the correct routes are set.
The modem in bridge mode was just a suggestion NOT related to your problem. I do it for a simple reason: no config on the modem itself. If it burns from line voltage spikes I can just send a replacement to the remote site and have it connected.
Might be because I' ve had a long day (with family :) but I lost the idea what your problem really is: the FGT can connect to the FortiGuard servers (which I didn' t expect), and outbound traffic seems not to be the problem. Inbound traffic is using a VIP - be sure not to check ' port forwarding' which is different from specifying all ports.
Whether you use the internal port for your server or another dedicated port of the FGT is a question of security, not of technical importance. I tell my customers to see the DMZ server as being hacked - how much more damage can an attacker inflict on the LAN then? With just one server in the DMZ, and NO policies from DMZ to internal LAN, not much...having the server in the middle of the internal LAN though makes a big difference.
For further help, we need
- the VIP definition
- the policy it is used in (WAN -> internal)
- the routing table (from Routing Monitor)
if possible as text snippets from the command line/console.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
Here are some info
config firewall vip
edit " ServerNAT"
set extintf " wan1"
set portfoward enable
set mappedip 192.168.10.50
set extport 80
set mappedport 80
next
end
edit 7
set srcintf " wan1"
set dstintf " internal"
set srcaddr " all"
set dstaddr " all"
set action accept
set status disable
set schedule " always"
set service " ALL"
next
config router static
edit 3
set device " wan1"
set gateway 192.168.11.1
next
At ADSL router, I had assigned the rule:
Source ANY port 8080 transfer to port 80 interface WAN1.
" ...but I lost the idea what your problem really is: the FGT can connect to the FortiGuard servers (which I didn' t expect), and outbound traffic seems not to be the problem"
>>> Actually, if leave it as normal, Guard will not connect to servers...had just opened 2 ports in ADSL using connect to Guard services then it is ok.
" Inbound traffic is using a VIP - be sure not to check ' port forwarding' which is different from specifying all ports" >>> I' m sorry that I can' t understand...can you please explain for me more?
Any info that your need to investigation, please let me know. Thanks much.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, that information was badly needed!
1. disable port forwarding in the VIP config
2. policy 7 is NOT active - ' set status disable'
3. create a new policy, with
- source interface: wan1
- source addr: all
- dest interface: internal
- dest addr: your_VIP <==== this is important!!
- no NAT
4. the static route is OK
Now you can ping the server from the WAN port. To test, disconnect the modem, connect with a notebook with IP address .11.1 and ping the server. Try HTTP on port 80 also.
And I see that your server will only be accessible via port 8080 from outside.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will test that and keep you update, Ede...thanks a lot for your support.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your confidence.
Please check and change these points:
1.
config system interface
edit " wan1"
set mode static
set ip 192.168.111.2 255.255.255.0
shouldn' t that be in the 192.168.11.x range?
2.
config firewall vip
edit " ServerNAT"
set type static-nat
set extip 0.0.0.0
set extintf " wan1"
set portforward disable
set mappedip 192.168.10.50
next
endchange to
set extip 192.168.11.xwhere 192.168.11.x is the external IP address used for the internal server 3. policies - delete, delete, delete policy ID 8 - policy 4 covers policy 5, I' d delete policy 5 - policy 7 (the NAT policy) looks OK
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Ede,
Please see my in-line discussion as below:
#1: This is my fault...I reverted back to the right IP address for WAN1 (11.2)
#2 : Already changed as your guide.
#3: Sorted out meaningless policy 8, policy 5 actually has a little bit different with 4 so I will keep that.
But...:-( still can' t. What am I missing? Thanks.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Unable to connect 120G to FAZ-VM... 49 Views
- FortiGate Upgrade | from v7.4.2 to... 57 Views
- Dialup VPN can't see all subnets 104 Views
- Fortinet F80 and Cisco RV340 24 Views
- FortiSwitch disabling ports when connected to... 22 Views
Labels
-
FortiGate
7,171 -
FortiClient
1,416 -
5.2
801 -
5.4
639 -
FortiManager
622 -
FortiAnalyzer
457 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
105 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
SSL SSH inspection
11 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1067 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.