Hot!Fortigate 60-E nat issues

Author
bennethos
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/18 14:14:18
  • Status: offline
2018/03/18 14:26:37 (permalink)
0

Fortigate 60-E nat issues

 
Hi,
 
I'm new to fortinet and need some assistance getting the NAT to work.
Got a modem/router in front of the fortigate that is not bridged to the fortinet, but I was able to "expose" all ports to the fortinet. Configured 2 nat rules (vip), one for ssh and one for RDP
 
I guess I should start by sending you the configfile ? Would somebody be so kind to share what you guys need to help me out ?
 
thank you
#1

6 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 5752
    • Scores: 397
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Fortigate 60-E nat issues 2018/03/19 04:25:13 (permalink)
    0
    hi,
    and welcome to the forums.
    You seem to have forgotten to state what your problem is.
    In one location I run a FGT as "exposed host" behind a NAT DSL router - no problems at all.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    Retro
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/19 10:12:25
    • Location: London, UK
    • Status: offline
    Re: Fortigate 60-E nat issues 2018/03/19 10:33:03 (permalink)
    0
    Hi bennthos
     
    When you say that you are no using a bridge does that mean that you are using double NAT?
     
    - Retro
     
     
     
    #3
    bennethos
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/18 14:14:18
    • Status: offline
    Re: Fortigate 60-E nat issues 2018/03/19 13:38:52 (permalink)
    0
     
     
    If you cant the fortinet VIP's I created as 2nd nat , then yes I'm using double NAT
    My problem is simple, I can't reach my hosts through portforwarding (exposed host) and the fortinet VIPS
     
     
    Internet
        I
    VDSL router/modem 192.168.178.254 (exposed all ports in this modem, to the WAN 1 interface of fortinet)
        I
    WAN 1 192.168.178.253
        I
    created a VIP for testing purposes : 
     
    network interface WAN1
    Type STATIC NAT (can't change this)
    External IP : 192.168.178.253 (WAN1 ip, zone WAN)
    Internal IP : 192.168.1.22 (zone LAN)
    port 22 for all (external and map to = same)
     
    created policy from zone WAN to zone LAN for SSH port 22  
     
    problem is that I get a timeout and i need some help troubleshooting this.
     
    thank you
    #4
    brycemd
    Bronze Member
    • Total Posts : 47
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: Fortigate 60-E nat issues 2018/03/19 14:58:23 (permalink)
    0
    "created policy from zone WAN to zone LAN for SSH port 22"
     
    Did you select the VIP as the destination? If you aren't familiar with FortiGate, it might make sense to create a regular firewall rule to allow the traffic. But, the destination needs to be the VIP itself.
     
    Other than that, try with 0.0.0.0 as the external IP in the VIP(this requires you to select an interface other than 'any')
    #5
    Itguy
    Bronze Member
    • Total Posts : 34
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/03/15 09:48:49
    • Status: offline
    Re: Fortigate 60-E nat issues 2018/03/19 18:15:54 (permalink)
    0
    You either bridge the modem/router, or you run Fortinet in transparent mode.
     
    Simple really.
    #6
    ede_pfau
    Expert Member
    • Total Posts : 5752
    • Scores: 397
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Fortigate 60-E nat issues 2018/03/25 02:39:15 (permalink)
    0
    This looks too complicated...as I posted I run the same setup as you - FritzBox to the internet, LAN1 to WAN1 on FGT, an intermediate network like your 192.168.1.x, "exposed host" on FB. Works very well.
     
    Some hints:
     
    Check carefully that you have put the VIP as the destination address into the policy 'wan1' -> 'lan'.
     
    Do not specify a port translation even if it's port 22 to port 22. If you do, ping won't work (as it doesn't use ports) and you could have the impression that the VIP isn't working. Narrow down your security in the policy.
     
    Follow @brycemd's advice and use the wildcard '0.0.0.0' for the external address in the VIP. It will match whichever public IP the FB will have at any time.
     
    Let the FB do the DynDNS provisioning - it monitors the WAN line and will notify the DDNS server reliably.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #7
    Jump to:
    © 2018 APG vNext Commercial Version 5.5