Hi,
see attachment for an overview of my scenario. Using Fortigate 92D on 5.4.1. Configuration was done via GUI.
I have one WAN interface with multiple public IP addresses available and a DMZ with a few servers that all listen on 443, plus SSLVPN listen on the primary address (10.10.10.116). I configured 4 additional secondary IP addresses on the WAN interface (10.10.10.117 - 10.10.10.120). I created VIPs to map those addresses to the internal addresses of my servers, and inbound IPv4 policies to allow traffic on those VIPs. Everything is working so far as intended.
Now I'm trying configure outbound NAT for those servers, and this is where I'm not sure which configuration would be considered best practice. I would like that all outbound traffic of each server is NATed to the same IP address that is used for the inbound VIPs (10.10.10.117 - 10.10.10.120).
[ul]
Is this considered best practice? It seems to accomplish what I want, one dedicated external IP address for all inbound / outbound traffic per server on the same WAN interface.
I'm asking because I'm not sure if it's okay to configure an IP pool for the same IP address that is configured as a secondary IP address on an interface.
If I do not configure any secondary IP addresses on the interface and configure an overload IP pool e.g. for 10.10.10.126/32, I can't use this IP address as secondary IP address anymore, because I get the following error message (via GUI):
If I set the secondary IP first and create the IP pool later, I don't get an error message. So it seems that I have "tricked" the GUI by accident.
Any advice would be greatly appreciated!
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
But it's not wrong to configure NAT-pools the way you did, the result is the same.
So keep it as it is, if it's working.
Just dont add any secondary ip-addresses on the physical interface.
Why are you creating a secondary IP-address on the interface?
I know there's a command under the VIP in CLI that makes your servers use that VIP address for outgoing traffic as well. Here it is "set nat-source-vip enable".
Not sure if this command applies to 5.4.
Hi,
I configured secondary IP addresses, because I assumed I had to in order create VIPs.
Will nat-source-vip enable apply to all outgoing traffic, or just the ports configured in the VIP?
Alright, when you create a VIP you also make the Firewall listen to that ip on the port you specify in the VIP.
It also relpies to ARP for that IP, so you dont have to create a secondary IP.
Ah you created Port-forwarding?
This command should make a 1:1 Static nat, so I'm not sure if you should use it in combination with port-forwarding.
But it's not wrong to configure NAT-pools the way you did, the result is the same.
So keep it as it is, if it's working.
Just dont add any secondary ip-addresses on the physical interface.
Hi,
this is still just a test environment, but I'm very eager to put this into production. I forward 443 on every VIP, plus some other ports depending on the VIP.
So if I just don't configure secondary IPs, I can make the WAN interface "aware" of those additional IPs just by configuring those IPs in the VIP. Traffic is forwarded to my internal servers, replies to that traffic is automatically NATted back to the internet. For all other outbound traffic, I create IP pools that I use as NAT address that I specify in the IPv4 Policy. I will test this and post the results.
In which case would I have to configure secondary IPs on the interface? I don't really see a scenario where I would need that.
Yes that's the way it works :)
I guess you can use the secondary IP's for other stuff, like SSL-VPN/IPSEC-VPN or Firewall access.
I've actually never used it.
Hi,
I just tested this, and it works as you described.
[ul]
For a quick test, I created a VIP for RDP on a test machine located in the DMZ. I was able to connect to it via 10.10.10.117. All outgoing traffic to the Internet from that machine was NATted to 10.10.10.118.
Thanks for your quick reply, you've been of great help!
I'm glad to hear :)
Good luck with putting this in production!
/ Nils
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.