NAT webserver private ip address to a purchase public IP address issue

rayha · ‎01-24-2024

Hi all,

Really need someone advise on this issue. Below is my network setup.

I had purchased a public static IP address 12.xxx.xxx.218 from my internet provider.

I had a web server private IP address: 19.xxx.xxx.117.

I need to NAT the private IP address: 19.xxx.xxx.117 to public static ip address 12.xxx.xxx.218 so that i only need to input 12.xxx.xxx.218 on a web browser over the internet to access my webserver

In the end, i still cannot ping 12.xxx.xxx.218 after i done some NAT configuration inside the firewall.

Below is my firewall setup for NAT:

This is the firewall Port 13 interface

This is the firewall Wan1 interface

I had created a Virtual IP named NUC Gateway

- I had configure a LAN to WAN for internet access

- NAT is turned on

- I had created a Wan to LAN where i input my previous created virutal IP "NUC gateway" and selected at the Destination field

- I do not turn on NAT

Anyone experience on this setup, can advise what went wrong?

AEK · ‎01-24-2024

Hi Rayha

Your setup should work.

I'd check if really the public IP 12.x is mine.

To check this you can for example set it as secondary WAN IP and the try ping it from outside.

AEK

rayha · ‎01-25-2024

Hi AEK,

I had tried put it as a WAN secondary IP. I cannnot ping the WAN secondary IP. According to my internet provider, they mentioned cannot ping this purchased Public static Ip address which i feel strange. So now i cannot ping, does it mean this not belong to me?

sw2090 · ‎01-25-2024

hm in this setup you might need to portforward twice.

ISP Router has to forward 80/443 to your FGT and then the FGT needs a vip to forward those to your webserver. And this has to be destination in the corresponding policy.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

AEK · ‎01-25-2024

Agree with you. I didn't notice the ISP router.

Bridge mode is also a solution. So you need to check how your ISP router is configured, or check with ISP if you don't have access to it.

AEK

rayha · ‎01-25-2024

Hi,

Able to suggest how you do these as i am totally new for fortigate?

AEK · ‎01-25-2024

Configuration is to be done on ISP router, not on FGT. I think your ISP can help.

AEK

rayha · ‎01-25-2024

Hi AEK,

I had no access to the ISP router. I had actually contact the ISP side already and they mentioned their side has configure correctly.

AEK · ‎01-25-2024

Hi Rayha

What do they mean by configured correctly? It can be configured in many ways.

If possible they share the configuration so you can deduce how you will configure the FGT.

AEK

rayha · ‎01-25-2024

Hi AEK,

Good suggestion. I will see whether they can release such information for me.