in my setup the firewall outside interface uses a private ip as my isp router forwards my public ips toward my private outside interface and my existing firewall is cisco asa and it have nat rule where it does port forwarding natting using the outside interface which is a private ip "192.168.10.2". I need to move this port forwarding rule to my new fortigate which will replace my asa. so in order to do this should I put in "external ip " my private outside interface ip and in the "mapped ip" I will put my internal server ip?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The external IP of a VIP should be the public IP that the incoming packets have as the destination address, regardless what the incoming interface IP is. Then the VIP would map it to the local server IP.
Toshi
The external IP of a VIP should be the public IP that the incoming packets have as the destination address, regardless what the incoming interface IP is. Then the VIP would map it to the local server IP.
Toshi
see my outside interface ip for example "192.168.10.2" get natted into "195.1.1.1" when it goes to my isp router so when 195.1.1.1 comes to my isp router it will be turned into 192.168.10.2 which is my outside interface so i dont think 195.1.1.1 actually hit my interface? also in the cisco asa the nat rule shows source any and destination my outside interface
Ok, misread. I thought your ISP just forwarded them without NATing.
The corrected statement should be "The external IP of a VIP should be the IP that the incoming packets have as the destination address when arrive at the FGT..." So the interface IP then.
yeah but this is the case of my outside private interface as for the rest of my public subnet the isp seems to route it toward my private outside interface as at the moment the asa have nat rules that uses the public ip.
this is the reason behind my confusion.
Those are two different paths for packets coming from outside. You need to treat them accordingly. But you already know exactly how they're working at ASA and would be working on the FGT. Just try it by trusting your instincts then adjust it if it doesn't work. Or ask others at that time.
Created on 02-16-2022 05:43 AM Edited on 02-16-2022 05:46 AM
just to make sure I'm converting correctly I attached a snap of both rules on asa and FGT. Please correct me if i wrong. The asa service bracket have a specific port as source and any port as destination.
I don't know much about ASA but I remember Cisco's 1-to-1 NAT works on both ways. FortiGate's NAT is directional and separated between DNAT and SNAT. The VIP config+policy is only for out-to-in DNAT. For SNAT you need to enable it on in-to-out policy which uses the outgoing interface IP by default. You probably have it already then it's good for this particular traffic for the DNAT server destination.
DNAT/VIP config itself doesn't have much to tweak other than those IPs you masked.
Toshi
if i want to make an ip to go out with a specific public ip do i create a rule from inside to outside and then enable nat and choose dynamic ip and set that ip for example 195.1.1.1-195.1.1.1 as in the below picture?
You are correct. Since you have only one internal IP, overload would work as well.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.