Dears,
I have fortigate 200d and i want to disable nat option once i create the firewall policy.
could you please advise what is the other steps that i need to configure in case i disabled the nat option from the policy.
when i enable the nat mode in the policy, the connectivity is ok, but when i disabled it i lost the connectivity, i want to keep the source ip without natting. could you please advise about this
Best Regards,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This is a very general question. 2 questions to you:
1) What direction is traffic flowing in this policy?
2) Is this policy connected to the Internet from a private address?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Thanks for your reply, the direction from internal to wan 1.
and it is private network to the internet.
Best Regards,
If that is the case, then you need to have NAT enabled. Your ISP will drop all connections to the Internet with private IP addresses. You have to provide a routable, public IP address if you want your traffic to be present outside your walls. The only way you can do that is to have your own subnet(s), or to NAT your traffic to the IP address that your ISP provides you. (That is if they give you a public. Some only provide private IP addresses on a transit network to you.)
See the link for a definition/list of private IP address ranges
https://tools.ietf.org/html/rfc1918
There is a newer one, but I don't recall the RFC number.
The latest is here:
https://tools.ietf.org/html/rfc5735
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
You are right in assuming you didn't supply relevant information on your setup.
When you disable NAT on the FGT packets with private source addresses arrive at the gateway router. The router will send them out, but on arrival of the replies it doesn't know where to forward them.
You need a static route on the gw router pointing the private subnet addresses (like 192.168.xxx.0/24) to the WAN interface of the FGT.
The FGT already knows about that range as it is directly connected (check this in the Routing monitor).
It worked thank you so much, yes this is the missing ring.
really appreciated.
:)
You're welcome, I'm glad I could help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.