Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Port forwarding vs Static NAT in Virtual IPs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 01-07-2005 01:57 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port forwarding vs Static NAT in Virtual IPs
To publish our websites behind our Fortigate unit, we initially used Static NAT in our Virtual IPs (VIPs) and then created the policies to publish the site and allow only HTTP and HTTPS traffic to them. We recently had occasion to make us investigate using Port Forwarding for our VIPs.
Once we changed the VIPs to be Port Forwarding, I could no longer do a tracert to the public IP of any of our websites. It would hit the LAN IP of the Fortigate and then give me " Destination Host Unreachable" . I also could not reach some of our sites internally even though an nslookup correctly identified the public IP address they were using. Without the Static NAT, it' s like the public IP addresses are not bound to the NIC of the firewall.
Has anyone else seen anything like this and, if so, how did you overcome it besides the obvious - use Static NAT?
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using port forwarding, then the IP isnt in use, so i would expect this behaviour. If you want to ping or do any other traffic, you would need static nat.
Essentially no other connections (except to ports that are setup for the port forwarding) would be allowed.
Why would you want to perform a trace to your own webservers anyway ?
If you really want to, why not go back to using Static Nat ?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 01-10-2005 05:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why would you want to perform a trace to your own webservers anyway?First, you need to understand the reasoning for moving from Static NAT to Port Forwarding. We have 3 separate IIS servers behind our firewall with the exact same configuration, sites, etc. (except IP addresses). This way, we can move any of our public sites to a different server by simply changing the forwarding in the firewall. This is as opposed to using clustering for true failover capability - they are still not comfortable with having us do that. Hence, our situation. That said, we have one of our public IP addresses that is used for FTP.mydomain.com and for WWW.mydomain.com. The powers that be wanted to be able to move FTP independently of WWW. Therefore, with a Static NAT, I always have to tie the WWW and FTP together and move them to another server together. Port Forwarding would allow me to do this since port 21 and port 80 could be independently assigned to separate LAN servers. This past week, we tried going to Port Forwarding instead of Static NAT. The first indication something was wrong was our users could not hit one of our websites. Before you mention internal DNS, this is a site hosted for a customer where they point their DNS entry to our IP address. I tried to do an NSLOOKUP of the domain name and it resolved the proper external IP address. When I did a trace, the last good hop was the Internal IP of the Fortigate. The next one said Destination Host Unreachable. Also, some external clients were not able to reach some of our websites. I verified this fact by trying it from my home and I was unable to reach these sites unless we went back to Static NAT. That is the reason I would try to trace to my own web sites.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, but you dont really want to use traceroute to test whether a PORTS open, i often use web based port testing for this, or by going to the port directly.
Have a look at the http://centralops.net
then click the Domain Dossier, in there you can type IP or domain names and tick the service scan. It will check whats ports are open.
You cannot use tracert as the firewall would block it externally anyway (or should be configured to).
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 01-10-2005 06:38 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn' t try the tracert from external. That was internal only. I agree that external ICMP traffic should not be allowed. Also, the tracert was not for the purpose of finding an open port. It was simply to see if my traffic to that IP was going properly from inside.
My question would be this . . . if Port Forwarding does not bind the external IP to the Fortigate' s external interface, how would anyone on the Internet be able to view a website that is served from that IP address?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesnt bind to it as such, it just responds to arps for the other IP you are natting. But if you dont have a static nat, you cannot trace or ping it.
You will only be able to connect to the ports that you have opened.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 01-10-2005 06:53 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I see what you are saying and why you thought I was doing a tracert to a specific port. Why do you think external customers were unable to reach certain websites I am hosting when I was in Port Forwarding mode?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did it not work from the start, or was intermittent later ?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 01-10-2005 07:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was OK at first because we still had the Static NAT setup in VIP settings - just didn' t use them in a policy. Once we deleted these static NAT VIP settings, it began to fail. Furthermore, when we originally had the static NAT, we could use the same external IP to create our Port Forwarding VIPs and they coexisted. Once I created all the Port Forwarding VIPs and removed the Static NAT ones, I couldn' t add back a Static NAT VIP if that external IP was used in a Port Forwarding VIP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may find that when you switched to the port forwrding, the access from internally stopped, whereas the external may have still worked.
Or the rules may of needed to be changed.
It is correct, you should not be able to use a static nat AND a port forwarding on the same external IP address, as these would conflict with one another.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,843 -
FortiClient
1,792 -
5.2
801 -
FortiManager
750 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
485 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
325 -
SSL-VPN
258 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
219 -
FortiWeb
212 -
FortiNAC
197 -
5.0
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
38 -
SAML
38 -
NAT
37 -
Certificate
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
30 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
FortiGate-VM
26 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiPortal
20 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1749 | |
| 1114 | |
| 765 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.