Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
71F6B385D38F
New Contributor

WAN Interface with multiple IP addresses, VIPs and outbound NAT

Hi,

see attachment for an overview of my scenario. Using Fortigate 92D on 5.4.1. Configuration was done via GUI.

 

I have one WAN interface with multiple public IP addresses available and a DMZ with a few servers that all listen on 443, plus SSLVPN listen on the primary address (10.10.10.116). I configured 4 additional secondary IP addresses on the WAN interface (10.10.10.117 - 10.10.10.120). I created VIPs to map those addresses to the internal addresses of my servers, and inbound IPv4 policies to allow traffic on those VIPs. Everything is working so far as intended. 

 

Now I'm trying configure outbound NAT for those servers, and this is where I'm not sure which configuration would be considered best practice. I would like that all outbound traffic of each server is NATed to the same IP address that is used for the inbound VIPs (10.10.10.117 - 10.10.10.120).

 

[ul]
  • I created 4 overload IP Pools (one for each external address)
  • I created 4 IPv4 Policies DMZ -> WAN, from the internal IP addresses to any, NAT enabled using the corresponding IP Pool
  • I placed those policies above less specific policies outbound NAT enabled policies[/ul]

    Is this considered best practice? It seems to accomplish what I want, one dedicated external IP address for all inbound / outbound traffic per server on the same WAN interface.

     

    I'm asking because I'm not sure if it's okay to configure an IP pool for the same IP address that is configured as a secondary IP address on an interface.

     

    If I do not configure any secondary IP addresses on the interface and configure an overload IP pool e.g. for 10.10.10.126/32, I can't use this IP address as secondary IP address anymore, because I get the following error message (via GUI):

     

     

     

    If I set the secondary IP first and create the IP pool later, I don't get an error message. So it seems that I have "tricked" the GUI by accident. 

     

    Any advice would be greatly appreciated!

    Thanks

     

     

  • 1 Solution
    Nils
    Contributor II

    But it's not wrong to configure NAT-pools the way you did, the result is the same.

    So keep it as it is, if it's working.

    Just dont add any secondary ip-addresses on the physical interface.

    View solution in original post

    8 REPLIES 8
    Nils
    Contributor II

    Why are you creating a secondary IP-address on the interface?

     

    I know there's a command under the VIP in CLI that makes your servers use that VIP address for outgoing traffic as well. Here it is "set nat-source-vip enable".

    Not sure if this command applies to 5.4.

     

     

    71F6B385D38F

    Hi,

     

    I configured secondary IP addresses, because I assumed I had to in order create VIPs.

    Will nat-source-vip enable apply to all outgoing traffic, or just the ports configured in the VIP?

    Nils

    Alright, when you create a VIP you also make the Firewall listen to that ip on the port you specify in the VIP.

    It also relpies to ARP for that IP, so you dont have to create a secondary IP.

     

    Ah you created Port-forwarding? 

    This command should make a 1:1 Static nat, so I'm not sure if you should use it in combination with port-forwarding.

     

     

    Nils
    Contributor II

    But it's not wrong to configure NAT-pools the way you did, the result is the same.

    So keep it as it is, if it's working.

    Just dont add any secondary ip-addresses on the physical interface.

    71F6B385D38F

    Hi,

     

    this is still just a test environment, but I'm very eager to put this into production. I forward 443 on every VIP, plus some other ports depending on the VIP.

     

    So if I just don't configure secondary IPs, I can make the WAN interface "aware" of those additional IPs just by configuring those IPs in the VIP. Traffic is forwarded to my internal servers, replies to that traffic is automatically NATted back to the internet. For all other outbound traffic, I create IP pools that I use as NAT address that I specify in the IPv4 Policy. I will test this and post the results.

     

    In which case would I have to configure secondary IPs on the interface? I don't really see a scenario where I would need that.

    Nils

    Yes that's the way it works :)

     

    I guess you can use the secondary IP's for other stuff, like SSL-VPN/IPSEC-VPN or Firewall access.

    I've actually never used it.

     

    71F6B385D38F

    Hi,

     

    I just tested this, and it works as you described.

     

    [ul]
  • WAN Interface without secondary IP addresses
  • VIP to DMZ on 10.10.10.117
  • IPv4 Policy with outgoing NAT on IP Pool 10.10.10.118/32 for internet traffic[/ul]

    For a quick test, I created a VIP for RDP on a test machine located in the DMZ. I was able to connect to it via 10.10.10.117. All outgoing traffic to the Internet from that machine was NATted to 10.10.10.118.

     

    Thanks for your quick reply, you've been of great help!

  • Nils

    I'm glad to hear :)

    Good luck with putting this in production! 

     

    / Nils

    Top Kudoed Authors