Not applicable
Created on 08-09-2006 08:20 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use public IP in DMZ interface?
Can I use public IP (registered IP) for DMZ interface?
my plan setting:
Internal IP: 10.0.0.253/255.255.255.0
WAN: 202.85.10.57/255.255.255.248
DMZ: 202.85.10.49/255.255.255.248
Gateway: 202.85.10.62
We have public IP Range: 202.85.10.49-61
and like to separate WAN/DMZ with two segment.
I can get it work on my old ServGate firewall.
but I still fail to set it on my new FG60.
It is because I like to use a fixed (public) IP for our mail server
no matter a user is accessing this server from internal LAN or from Internet.
Thanks.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could make a separate VDOM and put it in transparent mode then create inter-vdom links (3.0 only). This is a mess though. A better option might be to just make a VIP to the server. Clients addressing the public IP address will get redirected to the private without an issue.
FCSE > FCNSP 2.8 > FCNSP 3.0
(Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Not applicable
Created on 08-09-2006 06:54 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, you are talking I can' t just set our mail server to a public IP?
then if I set our mail server to a private IP 10.0.0.100 and with virtual ip setting
202.85.10.50 -> 10.0.0.100
can LAN user access the server by ip 202.85.10.50 instead of 10.0.0.100?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just answearing to your first question.
Can I use public IP (registered IP) for DMZ interface?
my plan setting:
Internal IP: 10.0.0.253/255.255.255.0
WAN: 202.85.10.57/255.255.255.248
DMZ: 202.85.10.49/255.255.255.248
Yes, you can address an IP public to whatever port in your fortigate, you just assign the IP to the interface, define routes and create firewall policies for its traffic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, I could be wrong but I believe this will be a problem unless the ISP has assigned you 2 actual subnets. It looks more like you have one subnet from the ISP that you are trying to divide into 2 on your own. If this is true then the mask on the ISP router will be 255.255.255.240 and it will try to directly reply to the DMZ IP addresses rather than letting the FortiGate route to it.
Now if you have control of that router or a helpful ISP then you are fine.
FCSE > FCNSP 2.8 > FCNSP 3.0
(Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Not applicable
Created on 08-10-2006 08:27 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have try to set this
Internal IP: 10.0.0.253/255.255.255.0
WAN: 202.85.10.57/255.255.255.248
DMZ: 202.85.10.49/255.255.255.248
Gateway: 202.85.10.62
int->dmz,int->wan1,dmz->wan1 seems work
except i can' t access to 202.85.10.50 mail server in dmz from internet.
i set vip static nat " mailsvr" as wan1:202.85.10.50 -> 202.85.10.50
and policy as wan1:all to dmz:" mailsvr"
if public ip in dmz is impossible, then how about I set our mail server to a private IP 10.0.0.100 and with virtual ip setting
wan1:202.85.10.50 -> 10.0.0.100
can LAN users access the server by ip 202.85.10.50 instead of 10.0.0.100?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have a VIP from 202.85.10.50 -> 10.0.0.100 your internal users can connect to 202.85.10.50 and be NAT' d to 10.0.0.100 without a problem.
FCSE > FCNSP 2.8 > FCNSP 3.0
(Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Not applicable
Created on 08-10-2006 06:28 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Fireshield
I will try it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the issue is that it' s the same Network - but one IP is not on WAN, but on DMZ. With normal routing that' s not possible at all although there' re some vendors that do tweaks...
You may try to activate " allow overlapping subnets" in CLI and then give it a try. I' ve no clue if it works or not.
Maybe you can try Transparent-mode (instead of Route mode). In case you need NAT you can do this in Transparent mode too (VIP).
-R.