Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tomek
New Contributor

Created on ‎10-29-2013 02:03 PM

Port Forwarding to Multiple Internal IP Addresses

Hello, I have a port forwarding question that I' m hoping someone will find simple to answer. I' m trying to intercept traffic bound for a certain public IP/port combination and redirect it to a different internal IP and port. So that I use the same public IP address for several unique internal devices (rather than setting up a standard 1 to 1 translation via a VIP) In other words I' m trying to translate the same external public IP, with unique ports, to different internal IP addresses. I believe that on a cisco box this would be accomplished using the following syntax where 123.123.123.252 represents a public address and 192.168.22.xx an internal address : static (inside,outside) tcp 123.123.123.252 6301 192.168.22.19 80 netmask 255.255.255.255 static (inside,outside) tcp 123.123.123.252 6302 192.168.22.20 80 netmask 255.255.255.255 Does anyone know if there is there a way to acomplish this on a Fortigate device? Thank you for any feedback or advice in advance!
Tom
Tom
14437
0 Kudos
3 REPLIES 3
ede_pfau
SuperUser
SuperUser

Created on ‎10-30-2013 01:42 AM

Hi, and welcome to the forums. Yes, what you want to do is possible. In FortiOS, you create one VIP for each (external) port you want to forward. As a VIP is used in a policy this would mean multiple policies. For this situation there are VIP groups: make multiple VIPs members of a VIP group and use this group in one policy ' wan' ->' internal' as the destination address.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3799
0 Kudos
PM
New Contributor

Created on ‎10-30-2013 03:19 AM

Example config, note the external interface and external IP is consistent in the VIP definitions. config firewall vip edit " NAT_external_HTTP" set extip 123.123.123.252 set extintf " wan" set portforward enable set mappedip 192.168.22.19 set extport 80 set mappedport 80 next edit " NAT_external_HTTPS" set extip 123.123.123.252 set extintf " wan" set portforward enable set mappedip 192.168.22.20 set extport 443 set mappedport 443 next edit " NAT_external_RDP" set extip 123.123.123.252 set extintf " wan" set portforward enable set mappedip 192.168.22.21 set extport 3389 set mappedport 3389 next end config firewall vipgrp edit " VIPGroup_external" set interface " wan" set member " NAT_external_HTTP" " NAT_external_HTTPS" " NAT_external_RDP" next end config firewall policy edit 100 set srcintf " wan" set dstintf " internal" set srcaddr " all" set dstaddr " VIPGroup_external" set action accept set schedule " always" set service " HTTP" " HTTPS" " RDP" set logtraffic enable set comments " Allow inbound HTTP, HTTPS and RDP for external VIP redirect" next end
3799
0 Kudos
tomek
New Contributor

Created on ‎10-30-2013 06:16 AM

Thank you both very much for your quick responses and warm welcome to the forum. Your advice worked perfectly! Thanks again.
Tom
Tom
3799
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.