Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

use public IP in DMZ interface?

Can I use public IP (registered IP) for DMZ interface? my plan setting: Internal IP: 10.0.0.253/255.255.255.0 WAN: 202.85.10.57/255.255.255.248 DMZ: 202.85.10.49/255.255.255.248 Gateway: 202.85.10.62 We have public IP Range: 202.85.10.49-61 and like to separate WAN/DMZ with two segment. I can get it work on my old ServGate firewall. but I still fail to set it on my new FG60. It is because I like to use a fixed (public) IP for our mail server no matter a user is accessing this server from internal LAN or from Internet. Thanks.
8 REPLIES 8
Fireshield
New Contributor

You could make a separate VDOM and put it in transparent mode then create inter-vdom links (3.0 only). This is a mess though. A better option might be to just make a VIP to the server. Clients addressing the public IP address will get redirected to the private without an issue.
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Not applicable

So, you are talking I can' t just set our mail server to a public IP? then if I set our mail server to a private IP 10.0.0.100 and with virtual ip setting 202.85.10.50 -> 10.0.0.100 can LAN user access the server by ip 202.85.10.50 instead of 10.0.0.100?
javs
New Contributor

Just answearing to your first question. Can I use public IP (registered IP) for DMZ interface? my plan setting: Internal IP: 10.0.0.253/255.255.255.0 WAN: 202.85.10.57/255.255.255.248 DMZ: 202.85.10.49/255.255.255.248 Yes, you can address an IP public to whatever port in your fortigate, you just assign the IP to the interface, define routes and create firewall policies for its traffic.
Fireshield
New Contributor

Actually, I could be wrong but I believe this will be a problem unless the ISP has assigned you 2 actual subnets. It looks more like you have one subnet from the ISP that you are trying to divide into 2 on your own. If this is true then the mask on the ISP router will be 255.255.255.240 and it will try to directly reply to the DMZ IP addresses rather than letting the FortiGate route to it. Now if you have control of that router or a helpful ISP then you are fine.
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Not applicable

i have try to set this Internal IP: 10.0.0.253/255.255.255.0 WAN: 202.85.10.57/255.255.255.248 DMZ: 202.85.10.49/255.255.255.248 Gateway: 202.85.10.62 int->dmz,int->wan1,dmz->wan1 seems work except i can' t access to 202.85.10.50 mail server in dmz from internet. i set vip static nat " mailsvr" as wan1:202.85.10.50 -> 202.85.10.50 and policy as wan1:all to dmz:" mailsvr" if public ip in dmz is impossible, then how about I set our mail server to a private IP 10.0.0.100 and with virtual ip setting wan1:202.85.10.50 -> 10.0.0.100 can LAN users access the server by ip 202.85.10.50 instead of 10.0.0.100?
Fireshield
New Contributor

If you have a VIP from 202.85.10.50 -> 10.0.0.100 your internal users can connect to 202.85.10.50 and be NAT' d to 10.0.0.100 without a problem.
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Not applicable

Thanks Fireshield I will try it.
red_adair
New Contributor III

the issue is that it' s the same Network - but one IP is not on WAN, but on DMZ. With normal routing that' s not possible at all although there' re some vendors that do tweaks... You may try to activate " allow overlapping subnets" in CLI and then give it a try. I' ve no clue if it works or not. Maybe you can try Transparent-mode (instead of Route mode). In case you need NAT you can do this in Transparent mode too (VIP). -R.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors