WAN Interface with multiple IP addresses, VIPs and outbound NAT
see attachment for an overview of my scenario. Using Fortigate 92D on 5.4.1. Configuration was done via GUI.
I have one WAN interface with multiple public IP addresses available and a DMZ with a few servers that all listen on 443, plus SSLVPN listen on the primary address (10.10.10.116). I configured 4 additional secondary IP addresses on the WAN interface (10.10.10.117 - 10.10.10.120). I created VIPs to map those addresses to the internal addresses of my servers, and inbound IPv4 policies to allow traffic on those VIPs. Everything is working so far as intended.
Now I'm trying configure outbound NAT for those servers, and this is where I'm not sure which configuration would be considered best practice. I would like that all outbound traffic of each server is NATed to the same IP address that is used for the inbound VIPs (10.10.10.117 - 10.10.10.120).
I created 4 overload IP Pools (one for each external address)
I created 4 IPv4 Policies DMZ -> WAN, from the internal IP addresses to any, NAT enabled using the corresponding IP Pool
I placed those policies above less specific policies outbound NAT enabled policies[/ul]
Is this considered best practice? It seems to accomplish what I want, one dedicated external IP address for all inbound / outbound traffic per server on the same WAN interface.
I'm asking because I'm not sure if it's okay to configure an IP pool for the same IP address that is configured as a secondary IP address on an interface.
If I do not configure any secondary IP addresses on the interface and configure an overload IP pool e.g. for 10.10.10.126/32, I can't use this IP address as secondary IP address anymore, because I get the following error message (via GUI):
If I set the secondary IP first and create the IP pool later, I don't get an error message. So it seems that I have "tricked" the GUI by accident.
this is still just a test environment, but I'm very eager to put this into production. I forward 443 on every VIP, plus some other ports depending on the VIP.
So if I just don't configure secondary IPs, I can make the WAN interface "aware" of those additional IPs just by configuring those IPs in the VIP. Traffic is forwarded to my internal servers, replies to that traffic is automatically NATted back to the internet. For all other outbound traffic, I create IP pools that I use as NAT address that I specify in the IPv4 Policy. I will test this and post the results.
In which case would I have to configure secondary IPs on the interface? I don't really see a scenario where I would need that.
I just tested this, and it works as you described.
WAN Interface without secondary IP addresses
VIP to DMZ on 10.10.10.117
IPv4 Policy with outgoing NAT on IP Pool 10.10.10.118/32 for internet traffic[/ul]
For a quick test, I created a VIP for RDP on a test machine located in the DMZ. I was able to connect to it via 10.10.10.117. All outgoing traffic to the Internet from that machine was NATted to 10.10.10.118.
Thanks for your quick reply, you've been of great help!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.