Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chilinski
New Contributor

Pass external/source ip through firewall to ftp server

Hello All, My ftp connection through the firewall is working, but I would like to see the external/source ip address instead of the internal firewall ip address in my ftp logs. I tried unchecking NAT in the firewall policy, but it did not fix the issue. Any help is appreciated. Here is my setup: Fortigate-60B 3.00-b0662 (MR6 Patch 1) Operation Mode: NAT ....................................... Firewall >Virtual IP Mapping Name: ftp Type: static nat External interface: wan1 External IP address/Range: 64.*.*.* Mapped IP address/Range: 10.*.*.* Port Forwarding - not checked ....................................... Firewall > Policy Source Interface/Zone: wan1 Source Address: all Destination: dmz Destination Address: ftp Schedule: always Service: ftp Action: ACCEPT NAT - is checked ........................................ Thanks!
7 REPLIES 7
UkWizard
New Contributor

unchecking nat will resolve it, if it doesnt, like you say, then you must be editing the wrong policy.... all inbound rules should have NAT unchecked.., all outbound should have it checked.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
chilinski
New Contributor

Thanks for the reply. I was testing the ftp connection from both the lan and the wan connection. It appears that ftp (extenal ip) will not work from the lan unless nat is checked. When i test the ftp connection from an outside ip to the external ftp ip, and nat is unchecked, it shows the source ip in the ftp logs. So...is there some way to use the external ip (for the ftp) from the lan?
UkWizard
New Contributor

NAT SHOULD be enabled on the outbound, as per all outbound policies. this will allow the internal to FTP External IP. Its only inbound that shouldnt have nat enabled.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
chilinski
New Contributor

The NAT is enabled on outgoing policy. The issue happens when connect from internal to dmz where the ftp server is located. Sorry for not being clear on the location of the server. Thanks again for the help.
rwpatterson
Valued Contributor III

If you are using the WANx VIP definition from the inside, you' ll need to create a loopback policy. Source interface: WANx Source address: INTERNAL IP subnet Destination interface: internal (DMZ, etc) Destination address: VIP definition This will allow the internal IPs to the VIP without NAT enabled for all on the way in.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
UkWizard
New Contributor

so are the internal clients accessing it via the VIP or the DMZ real address?
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
chilinski
New Contributor

The internal clients are attempting to access the ftp site through the VIP address. I' ll give the loopback policy a shot and post the results later. I appreciate it guys!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors