Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
effendisusanto
New Contributor

LAN/WAN NAT configuration with Fortigate 90D

Hi All,

 

I have a problem with my implementation with fortigate 90D in my office.

My ISP give me /29 public IP to be used for our server, to access the ISP network, they give me another network (uplink network). I also want to create NAT for our staff. Is it possible to use fortigate 90D to accomplish this network plan?

I think it's quite usual network diagram, I already done it using mikrotik, but I want to change the mikrotik with fortigate 90D.

Please give me your suggestion how to configure the fortigate 90D. ( I use interface mode )

 

 

9 REPLIES 9
gschmitt
Valued Contributor

VDOM in Transparent mode

effendisusanto
New Contributor

Thank you for your answer  gschmitt, but I really don't get it at all, how to do VDOM in transparent, would you like to elaborate?

gschmitt

Start with this: https://www.youtube.com/watch?v=31MfllV3IwE but set one of the VDOMs to Transparent

Create a VDOM Link and treat the NAT VDOM as "just another device behind the Transparent VDOM"

Here is how you deal with a Transparent FGT: https://www.youtube.com/watch?v=xF1uvfEIr3M

 

I can do a bigger how to but I need to get to my test device first :>

effendisusanto

I still no in clear understanding how this approach will solve my problem, but you gave me a quite interesting key "VDOM", I have plenty thing to try using this "VDOM", thank you for your suggestion, I will try it first.

 

gschmitt

Okay ignore what I said about VDOMs I just looked at your IPs again

 

You basically have your normal external IP range (222.222.221.112/28) and additional network (222.222.222.224/29) routed to your 222.222.221.113 IP?

In that case simply give your internet facing interface (wan) the 222.222.221.113/28 IP

Give your dmz interface the IP 222.222.222.225 and give the clients in the dmz network IPs from the 222.222.222.224/29 network.

Create wan to dmz policies to access them

effendisusanto

Network 222.222.221.112/28 is not ours. It is just trunk to my ISP, we assigned 1 IP to connect our network (222.222.222.224/29) to the ISP's network. we can only doing nat from our network, we can't do it on trunk network.

On the other hand, I have further question based on your explanation:

1. about DMZ, does fortigate 90D has DMZ interface?

2. How do I create NAT for my private network?

 

Thank you for the knowledge Sir

gschmitt

effendisusanto wrote:

Network 222.222.221.112/28 is not ours. It is just trunk to my ISP, we assigned 1 IP to connect our network (222.222.222.224/29) to the ISP's network. we can only doing nat from our network, we can't do it on trunk network.

On the other hand, I have further question based on your explanation:

Okay I am confused about your ip setup :\

1. about DMZ, does fortigate 90D has DMZ interface?

THe FortiGate 90D doesn't have a "dedicated" dmz interface. You can, however, simply use wan2 if not otherwise occupied.

You can also change the FortiGate from Switch to Interface mode which makes all 14 interfaces standalone

That way you can have 14 dmz if that's what you want :D http://docs-legacy.fortin...stallation.023.05.html

2. How do I create NAT for my private network?

On the Policy going from the internal to the wan interface

Go to Policy&Objects > Policy > IPv4 and expand your internal - wan1 section

Double click the policy in question

Check NAT on

By default you will Use Outgoing Interface Address as NAT IP (the IP of wan1 in this case)

If you want to change that you can Use Dynamic IP Pool and select an IP pool.

You can create these in the Dropdown menu or at Policy&Objects > Objects > IP Pools

effendisusanto
New Contributor

I stick to your "VDOM" idea, it is great :D, I already change the FG to interface mode since it easier to manage (IMO). Currently I make 2 VDOM, first VDOM dedicated to my ip_public, and the second for my ip_private. But in consequence, I've to waste 1 public IP to be NAT-ed. But I think it's good enough :D, I will update my network scheme later

Pradip

Hi Team,

 

Need help as fortigate configuration product 200 E .

scenario diagram.

5 vlan need to created we have got  Lan /29 public IP pool from ISP. so how to mangage this IP to 5 VLAN subnet with dhcp ip,dns etc.

Labels
Top Kudoed Authors