Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ravenlord
New Contributor

remote to a server on DMZ

I want to remote to a server on DMZ. Here is my scenario: As shown in the attached image, We have a fortigate 100D firewall which gets its internet from ADSL TP-link modem. There is also a valid IP set on the modem and the modem itself is connected to fortigate's WAN1 interface. The server which I want to remote to is located on DMZ. Please help me configuring and getting my scenario work properly.

thank u 

1 Solution
ede_pfau
Esteemed Contributor III

hi,

 

the double NAT is what is making this a bit complicated. So I would recommend to switch the modem into 'bridge mode' and put all WAN/ISP configuration onto the FGT. Hopefully, your line is not fast (>= 100 Mbps) and using PPPoE - in this case, the modem hardware needs to do the dial in as the FGT CPU will not be strong enough for this.

 

So, 2 scenarios:

1- modem is bridging

Now the FGT WAN port gets the public IP address (which is good for many reasons, FortiGuard updates for one). Now you create a VIP on the WAN interface, mapping the public IP to the private LAN IP of the server. No port forwarding needed if you do not use the public IP for anything else. Put the VIP as the destination address object into a policy from 'WAN' to 'internal', set service and/or schedule, done.

 

2- modem does the dial-in

Now you have double NAT. The VIP part on the FGT side stays the same, but now you translate from the private WAN IP of the FGT to the server's address. In order to get the traffic across the modem, you need to configure a 'DMZ' or 'pass-through' on it so that traffic from the WAN will reach the inside of the modem. Depends on make and model.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

6 REPLIES 6
ede_pfau
Esteemed Contributor III

hi,

 

the double NAT is what is making this a bit complicated. So I would recommend to switch the modem into 'bridge mode' and put all WAN/ISP configuration onto the FGT. Hopefully, your line is not fast (>= 100 Mbps) and using PPPoE - in this case, the modem hardware needs to do the dial in as the FGT CPU will not be strong enough for this.

 

So, 2 scenarios:

1- modem is bridging

Now the FGT WAN port gets the public IP address (which is good for many reasons, FortiGuard updates for one). Now you create a VIP on the WAN interface, mapping the public IP to the private LAN IP of the server. No port forwarding needed if you do not use the public IP for anything else. Put the VIP as the destination address object into a policy from 'WAN' to 'internal', set service and/or schedule, done.

 

2- modem does the dial-in

Now you have double NAT. The VIP part on the FGT side stays the same, but now you translate from the private WAN IP of the FGT to the server's address. In order to get the traffic across the modem, you need to configure a 'DMZ' or 'pass-through' on it so that traffic from the WAN will reach the inside of the modem. Depends on make and model.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
ravenlord

thank u ede

in second scenario i have valid ip that get from isp

is that true i set in tp-link modem in NAT tab virtual server ip to 192.168.1.3 that fortigate wan1's ip and then in VIP i set external interface to wan1 and external ip to 192.168.1.1 that modem ip and mapped ip to 10.28.0.227 and mapped port to 3389 or do i have to set external ip to my valid ip ????

ravenlord
New Contributor

thank u ede in second scenario i have valid ip that get from isp is that true i set in tp-link modem in NAT tab virtual server ip to 192.168.1.3 that fortigate wan1's ip and then in VIP i set external interface to wan1 and external ip to 192.168.1.1 that modem ip and mapped ip to 10.28.0.227 and mapped port to 3389 or do i have to set external ip to my valid ip ????

ede_pfau
Esteemed Contributor III

Nope. You set the TP-Link NAT to 192.168.1.4, an unused IP that denotes your internal server (not the FGT). On the FGT, the VIP has

external IP = 192.168.1.4

mapped to IP = 10.28.0.227   <== your server's real IP

and start without port mapping to test. Added advantage: you can ping the server to test the VIP.

Don't forget the policy on the FGT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
ravenlord

in tp link modem in virtual servers i set local host ip 192.168.1.3 that FGT wan ip and then in FGT create VIP that external ip 192.168.1.3 and mapped ip 10.28.0.227 that my server ip and create policy. i success to remote from internet

ede_pfau
Esteemed Contributor III

That might be but in using the FGT's WAN IP you effectively divert all traffic with destination FGT to the internal server. That might be a problem someday if you want to administer the FGT remotely, or for the UTM updates.

 

Using some other address from the intermediate network would give you more options.


Ede

"Kernel panic: Aiee, killing interrupt handler!"