Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bzh87
New Contributor II

port forwarding natting using outside interface that is private ip?

in my setup the firewall outside interface uses a private ip as my isp router forwards my public ips toward my private outside interface and my existing firewall is cisco asa and it have nat rule where it does port forwarding natting using the outside interface which is a private ip "192.168.10.2". I need to move this port forwarding rule to my new fortigate which will replace my asa. so in order to do this should I put in "external ip " my private outside interface ip and in the "mapped ip" I will put my internal server ip? 

1 Solution
Toshi_Esumi
Esteemed Contributor III

The external IP of a VIP should be the public IP that the incoming packets have as the destination address, regardless what the incoming interface IP is. Then the VIP would map it to the local server IP.

 

Toshi

View solution in original post

9 REPLIES 9
Toshi_Esumi
Esteemed Contributor III

The external IP of a VIP should be the public IP that the incoming packets have as the destination address, regardless what the incoming interface IP is. Then the VIP would map it to the local server IP.

 

Toshi

bzh87
New Contributor II

see my outside interface ip for example "192.168.10.2" get natted into "195.1.1.1" when it goes to my isp router so when 195.1.1.1 comes to my isp router it will be turned into 192.168.10.2 which is my outside interface so i dont think 195.1.1.1 actually hit my interface? also in the cisco asa the nat rule shows source any and destination my outside interface

Toshi_Esumi
Esteemed Contributor III

Ok, misread. I thought your ISP just forwarded them without NATing.

The corrected statement should be "The external IP of a VIP should be the IP that the incoming packets have as the destination address when arrive at the FGT..." So the interface IP then.

bzh87
New Contributor II

yeah but this is the case of my outside private interface as for the rest of my public subnet the isp seems to route it toward my private outside interface as at the moment the asa have nat rules that uses the public ip.

 

this is the reason behind my confusion.

Toshi_Esumi
Esteemed Contributor III

Those are two different paths for packets coming from outside. You need to treat them accordingly. But you already know exactly how they're working at ASA and would be working on the FGT. Just try it by trusting your instincts then adjust it if it doesn't work. Or ask others at that time.

bzh87
New Contributor II

just to make sure I'm converting correctly I attached a snap of both rules on asa and FGT. Please correct me if i wrong. The asa service bracket have a specific port as source and any port as destination.

Capture.PNGCapture2.PNG

Toshi_Esumi
Esteemed Contributor III

I don't know much about ASA but I remember Cisco's 1-to-1 NAT works on both ways. FortiGate's NAT is directional and separated between DNAT and SNAT. The VIP config+policy is only for out-to-in DNAT. For SNAT you need to enable it on in-to-out policy which uses the outgoing interface IP by default. You probably have it already then it's good for this particular traffic for the DNAT server destination.

DNAT/VIP config itself doesn't have much to tweak other than those IPs you masked.

 

Toshi

bzh87
New Contributor II

if i want to make an ip to go out with a specific public ip do i create a rule from inside to outside and then enable nat and choose dynamic ip and set that ip for example 195.1.1.1-195.1.1.1 as in the below picture?Capture.PNG

Toshi_Esumi
Esteemed Contributor III

You are correct. Since you have only one internal IP, overload would work as well.

Labels
Top Kudoed Authors