Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Firasbg
New Contributor III

Created on ‎08-06-2022 10:46 AM Edited on ‎08-06-2022 11:08 AM

the best way to connect fortigate to the internet

Advice me what's the best way to connect fortigate to the internet of my home ADSL modem passing by cisco router ? i mean i configure dynamic or static NAT? or PAT ? or default static route from my fortigate to the adsl modem and configure default static route from my adsl to the fortigate ?or other methode ?294766800_562538495424875_9082956238751245529_n.png

Labels:
1967
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-07-2022 10:12 AM

A possible best option is to eliminate the cisco router upstream and let the FGT take the internet connection directly from a modem so that the FGT can do VIP/DNAT for out-to-in traffic toward the server in DMZ. Otherwise it's Cisco that needs to do at least out-to-in NAT.

FGT's NAT is unidirectional and in-to-out and out-to-in NAT are independent. It would complicate things if there are two devices doing NAT. So if you left the Cisco in place, you would have to do all NAT at the Cisco.

 

Toshi

1939
Firasbg
New Contributor III
In response to Toshi_Esumi

Created on ‎08-08-2022 05:52 AM

thanks, @Toshi_Esumi  for your response 

before I added the router I let the FortiGate access to the internet and i configure a policy to let the lan and DMZ access to the internet also but now i add the router and  if I configure NAT in router to permit the network 192.168.2.x/24(network between the router and firewall) I will not configure NAT also in router to the LAN and DMZ networks because i configured them in fortigate right ?

1922
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Firasbg

Created on ‎08-08-2022 08:08 AM

If you're talking about only in-to-out direction and if you set up SNAT for internal subnets, the Cisco sees only 192.168.2.x on the FGT interface.
But if I were to add a router in front to a FGT, I wouldn't do NAT at all on the FGT. Instead expose those internal subnets to the Cisco so that the Cisco can NAT all of them.

 

Toshi

1916
Firasbg
New Contributor III
In response to Toshi_Esumi

Created on ‎08-08-2022 10:14 AM

In companies what's the method that they did , they put the router before the fortigate or after ?

1912
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Firasbg

Created on ‎08-08-2022 10:52 AM

Completely depending on the purpose/reason why the router needs to be in the network while another router, FGT, is in place, which you haven't explained.

 

Toshi

1904
Firasbg
New Contributor III
In response to Toshi_Esumi

Created on ‎08-08-2022 11:13 AM

@Toshi_Esumi  i configure  PAT in the router to allow the fortigate access to the internet and it's work but when i try now to acccess it from my browzer by http i can't , i try to access it with the outside interface of the router but i can't  and also i try with the fortigate outside interface i can't

Firasbg_0-1659982213401.png

Firasbg_1-1659982396400.png

 

1902
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Firasbg

Created on ‎08-08-2022 11:37 AM

Try sniffing traffic at the FGT while try accessing the cisco GUI. As long as it goes out from the interface connected to Cisco, the problem is not on the FGT side. 

1894
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.