I want to remote to a server on DMZ. Here is my scenario: As shown in the attached image, We have a fortigate 100D firewall which gets its internet from ADSL TP-link modem. There is also a valid IP set on the modem and the modem itself is connected to fortigate's WAN1 interface. The server which I want to remote to is located on DMZ. Please help me configuring and getting my scenario work properly.
thank u
Solved! Go to Solution.
hi,
the double NAT is what is making this a bit complicated. So I would recommend to switch the modem into 'bridge mode' and put all WAN/ISP configuration onto the FGT. Hopefully, your line is not fast (>= 100 Mbps) and using PPPoE - in this case, the modem hardware needs to do the dial in as the FGT CPU will not be strong enough for this.
So, 2 scenarios:
1- modem is bridging
Now the FGT WAN port gets the public IP address (which is good for many reasons, FortiGuard updates for one). Now you create a VIP on the WAN interface, mapping the public IP to the private LAN IP of the server. No port forwarding needed if you do not use the public IP for anything else. Put the VIP as the destination address object into a policy from 'WAN' to 'internal', set service and/or schedule, done.
2- modem does the dial-in
Now you have double NAT. The VIP part on the FGT side stays the same, but now you translate from the private WAN IP of the FGT to the server's address. In order to get the traffic across the modem, you need to configure a 'DMZ' or 'pass-through' on it so that traffic from the WAN will reach the inside of the modem. Depends on make and model.
hi,
the double NAT is what is making this a bit complicated. So I would recommend to switch the modem into 'bridge mode' and put all WAN/ISP configuration onto the FGT. Hopefully, your line is not fast (>= 100 Mbps) and using PPPoE - in this case, the modem hardware needs to do the dial in as the FGT CPU will not be strong enough for this.
So, 2 scenarios:
1- modem is bridging
Now the FGT WAN port gets the public IP address (which is good for many reasons, FortiGuard updates for one). Now you create a VIP on the WAN interface, mapping the public IP to the private LAN IP of the server. No port forwarding needed if you do not use the public IP for anything else. Put the VIP as the destination address object into a policy from 'WAN' to 'internal', set service and/or schedule, done.
2- modem does the dial-in
Now you have double NAT. The VIP part on the FGT side stays the same, but now you translate from the private WAN IP of the FGT to the server's address. In order to get the traffic across the modem, you need to configure a 'DMZ' or 'pass-through' on it so that traffic from the WAN will reach the inside of the modem. Depends on make and model.
thank u ede
in second scenario i have valid ip that get from isp
is that true i set in tp-link modem in NAT tab virtual server ip to 192.168.1.3 that fortigate wan1's ip and then in VIP i set external interface to wan1 and external ip to 192.168.1.1 that modem ip and mapped ip to 10.28.0.227 and mapped port to 3389 or do i have to set external ip to my valid ip ????
thank u ede in second scenario i have valid ip that get from isp is that true i set in tp-link modem in NAT tab virtual server ip to 192.168.1.3 that fortigate wan1's ip and then in VIP i set external interface to wan1 and external ip to 192.168.1.1 that modem ip and mapped ip to 10.28.0.227 and mapped port to 3389 or do i have to set external ip to my valid ip ????
Nope. You set the TP-Link NAT to 192.168.1.4, an unused IP that denotes your internal server (not the FGT). On the FGT, the VIP has
external IP = 192.168.1.4
mapped to IP = 10.28.0.227 <== your server's real IP
and start without port mapping to test. Added advantage: you can ping the server to test the VIP.
Don't forget the policy on the FGT.
in tp link modem in virtual servers i set local host ip 192.168.1.3 that FGT wan ip and then in FGT create VIP that external ip 192.168.1.3 and mapped ip 10.28.0.227 that my server ip and create policy. i success to remote from internet
That might be but in using the FGT's WAN IP you effectively divert all traffic with destination FGT to the internal server. That might be a problem someday if you want to administer the FGT remotely, or for the UTM updates.
Using some other address from the intermediate network would give you more options.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.