I am trying to segment the network into 2 part:
1) 2 ports (ie: Port 1, Port 2) each on a different private LAN
private IP: 192.168.1.0/24, 192.168.2.0/24
wan: 123.123.123.0-123.123.123.127
2) 1 port (ie: Port 3) on "transparent mode"
private IP: 123.123.123.128-123.123.123.255
wan: 123.123.123.128-123.123.123.255
I am wondering if it I should (or if possible to) setup my Fortigate as follow:
1) Set it up to run in NAT/Routing mode
Setup Virtual IP for Port 1 and Port 2 to take care of the IP translation.
Setup Routing Policy to direct data going to 123.123.123.128-123.123.123.255 to Port 3
(Is this even possible?)
OR
2) Setup 3 V-DOM (ie:Root, Private_VDOM, Public_VDOM)
Connect WAN to Root and set it up as NAT/Routing mode
Setup Private_VDOM in transparent mode
Setup Routing Policy to direct data going to 123.123.123.128-123.123.123.255 to Private_VDOM
Setup Private_VDOM in NAT/Routing mode
Setup Routing Policy to direct data going to 123.123.123.0-123.123.123.127 to Private_VDOM
Setup Virtual IP on Public_VDOM
I am very new in setting up these things. Thank you very much for your help in advance
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't think you can do #1 but #2 could be done if you set vips for the hosts, but do you really need transparent link ? I think you could do this with less complexity if you could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs
or
Just create a 3rd lan-interface that houses the 23.123.123.128/25
This could be a sub-interface that's tagged like a 802.1q interface if your limited on physical ports.
Please check out my stack vdom blog for other ideals & suggestions;
http://socpuppet.blogspot...pt-with-fortigate.html
PCNSE
NSE
StrongSwan
I hear you, but the upper end of the /25 ( .128-255 ) has what as a gatwate today? Can't you just lift that network and install it on a another interface on the fortigate & still meet your needs? Or bind two interfaces as a inbound & outbound interface for he lan segment that needs the transparent mode of operation?
e.g
port3 and port4 ( transparent vdom )
About the NAT in transparent vdoms, it can be done. I never have done this tho. You can configure ip-pools and set fwpolices to allow NAT, but be careful in your topology & design and remember that a interface can only be in one vdom regardless of the vdom mode of operation ( nat/routed or transparent ).
I would suggest you drafted out the details before diving in and ensure that the design encompass the goals and functionality that your looking for.
PCNSE
NSE
StrongSwan
I don't think you can do #1 but #2 could be done if you set vips for the hosts, but do you really need transparent link ? I think you could do this with less complexity if you could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs
or
Just create a 3rd lan-interface that houses the 23.123.123.128/25
This could be a sub-interface that's tagged like a 802.1q interface if your limited on physical ports.
Please check out my stack vdom blog for other ideals & suggestions;
http://socpuppet.blogspot...pt-with-fortigate.html
PCNSE
NSE
StrongSwan
Thank you very much for your information.
I am hoping to setup "transparent link" is because this part of the network has already been in place. Such setup will reduce the amount of changes to the existing network.
I have read through your Stacked VDOM blog. However, I am still no sure about your 2nd suggestion:
"Just create a 3rd lan-interface that houses the 23.123.123.128/25"
Is it possible for you to further elaborate on it?
Also, in your Stacked VDOM blog post, is it possible to push to NAT down to the custA and custB VDOM instead of doing it in the root VDOM?
Thank you very much for your help in advance !
emnoc wrote:I don't think you can do #1 but #2 could be done if you set vips for the hosts, but do you really need transparent link ? I think you could do this with less complexity if you could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs
or
Just create a 3rd lan-interface that houses the 23.123.123.128/25
This could be a sub-interface that's tagged like a 802.1q interface if your limited on physical ports.
Please check out my stack vdom blog for other ideals & suggestions;
http://socpuppet.blogspot...pt-with-fortigate.html
I hear you, but the upper end of the /25 ( .128-255 ) has what as a gatwate today? Can't you just lift that network and install it on a another interface on the fortigate & still meet your needs? Or bind two interfaces as a inbound & outbound interface for he lan segment that needs the transparent mode of operation?
e.g
port3 and port4 ( transparent vdom )
About the NAT in transparent vdoms, it can be done. I never have done this tho. You can configure ip-pools and set fwpolices to allow NAT, but be careful in your topology & design and remember that a interface can only be in one vdom regardless of the vdom mode of operation ( nat/routed or transparent ).
I would suggest you drafted out the details before diving in and ensure that the design encompass the goals and functionality that your looking for.
PCNSE
NSE
StrongSwan
Thank you very much emnoc.
I guess my original plan is not a recommended approach. I guess I will follow the topology that is similar to the one in your post:
http://socpuppet.blogspot.com.es/2014/09/a-stacked-vdom-concept-with-fortigate.html
However, I am wondering how I can set the Virtual IP to allow computer from WAN and custB to access a computer in custA (ie:10.100.10.123)?
Is this Virtual IP setting has to be done in VDOM:root? It can't be set in custA?
I tried to set the Virtual IP in VDOM:root with the following settings:
Interface: WAN
External IP: 123.123.123.123-123.123.123.123
Internal IP: 10.100.10.123-10.100.10.123
I have also set static route such that
Destination IP: 10.100.10.0/255.255.255.0
Device: root2custA0
Gateway: 192.168.0.2
For testing, I have allowed all tracffic to route from any interface to any interface in both VDOM. However, I still not able to ping the machine with ip 10.100.10.123 from the outside.
Is there anything I have missed?
Thanks.
Packets are able to pass through after setting a policy to allow traffic to reach the specific Virtual IP as destination with NAT turned on.
Thank you very much for all your help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.