Hot!Modem to Fortigate Port Forwarding VPN

Author
KuyaJerome
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/18 21:33:44
  • Status: offline
2018/11/18 21:48:21 (permalink)
0

Modem to Fortigate Port Forwarding VPN

Hi,
 
I am very new to Firewalls, though I configured some with the help of video tutorials. Now we have one on our own, I'm planning to configure it for Remote VPN so we can easily access our office files anywhere specially when we're in the field since we are IT service providers. 
 
I followed the instructions from this link https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=2ahUKEwjj3NiJ4N_eAhWQdd4KHc8XDwUQwqsBMAR6BAgEEAc&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DpeDdJuuoLrU&usg=AOvVaw2aCsHEO16hXv4bonbLoHLQ
 
But I think this only applies when we are using the Public IP of our ISP. I set the WAN IP as DHCP. Now, I need the detailed instructions on how I can access our office LAN outside using Remote VPN. I think I have to port forward the Public IP of our router to the DHCP IP of the Fortigate. And I have no idea on how to do that. I hope I have someone I can talk with this.
 
Thanks and best regards,
 
Jerome
#1

14 Replies Related Threads

    Tim_86
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/19 04:06:42 (permalink)
    0
    Hi Jerome,
     
    Am correct you are using NAT on your modem to your Fortigate?
     
    You can configure SSL-VPN on a specific port like 10433.
    There is an entire topic about this in the cookbook how to setup a SSL-VPN and a policy.
     
    If you are using NAT on your modem you'll need to forward the SSL-VPN port to the WAN address your Fortigate received from your modem.
     
    The most pratical would be if your Fortigate would receive a public IP.
    This way you only have to follow the steps in the cookbook.
     
    Kind regards,
    Tim
    #2
    KuyaJerome
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/18 21:33:44
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/19 19:00:01 (permalink)
    0
    Hi Tim,
     
    Thank you very much for the quick reply. I have attached an image of our current setup. I hope this will clear it up. The link I provided from the cookbook uses the Public values of the router, so Forticlient can easily lookup the IP of the Firewall. While on our side, we used DHCP for the Firewall.
     
    post edited by KuyaJerome - 2018/11/19 23:27:44
    #3
    Tim_86
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/19 21:58:47 (permalink)
    0
    Hi Jerome,
     
    This is quite simple once you get the hang of it :D
     
    Your modem hands your Forti an IP of 192.168.0.20.
    (Try to make it static or a reservation).
     
    The only thing you need to do is forward the SSL-VPN port from your modem to 192.168.0.20.
     
    You  can change the port in the SSL-VPN settings to something like 8443 so it won't conflict with the webinterface that runs on 443(or change that).
     
    So in your modem you will forward port 8443 to 192.168.0.20 (all 8443 traffic wil be forawarded to the gateway of your fortigate)
    Your FortiClient can add a VPN profile that points to your WAN IP 124.105.x.x and port 8443.
    Out of safety precautions you might want to remove your real ISP IP.
     
    I see you've got your own DHCP/DNS server, the SSL-VPN has got his own IP range which VPN clients connect on.
    As long as your VPN clients point to the same DNS server, name resolvement for the internal network shouldn't be a problem.
     
    I hope this makes it a bit clear, good luck!
     
    post edited by Tim_86 - 2018/11/19 22:02:43
    #4
    KuyaJerome
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/18 21:33:44
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/19 23:42:32 (permalink)
    0
    Hi Tims, 
     
    Thank you again. I kind of understand now what you are trying to tell me. It's how am I going to add the port forwarding in the router. I have attached screenshots of the settings from our modem. Where am I going to add it? 
     
    I can still follow this instructions right? https://cookbook.fortinet.com/ipsec-vpn-forticlient/  All I have to do now is just add the port forwarding from the modem? Or do I have another set of instructions to follow? 

    Attached Image(s)

    #5
    Tim_86
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/20 00:25:58 (permalink)
    0
    Hi Jerome, 
     
    Isn't there a forwarding option under NAT?
     
    You might want to try SSL-VPN instead of IPSEC, you only need one forwarder for SSL-VPN.
    https://cookbook.fortinet.com/ssl-vpn-using-web-and-tunnel-mode-54/
     
    https://www.youtube.com/watch?v=IFqsfz6Bto0
     
    Just follow the steps 1. to 5. and install the FortiClient (just took a quick view).
    The steps beyond 5. you can replace with installing the FortiClient.
    The "listen on port" is the port SSL-VPN uses, this is the one you want to foward to the WAN of your Forti from your modem.
     
    I hope this gets you in the right direction,.
     
    post edited by Tim_86 - 2018/11/20 00:33:42
    #6
    KuyaJerome
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/18 21:33:44
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/20 00:38:43 (permalink)
    0
    Hi Tim,
     
    Please see attached image again. What IP goes to where? I am very sorry for I am really new to this. And thank you for assisting me anyway. 
     
    And for the Predefined Bookmark, is this the IP of our Firewall? 

    Attached Image(s)

    #7
    Tim_86
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/20 00:52:29 (permalink)
    0
    I'm not really familiar with the interface of the device your are using.
    You might want to check Virtual Server? (This is a DMZ function most of the time).
    What type of modem are you using?
     
    #8
    KuyaJerome
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/18 21:33:44
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/20 00:56:31 (permalink)
    0
    It's a DSL Modem Tim. 
    #9
    KuyaJerome
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/18 21:33:44
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/20 00:57:33 (permalink)
    0
    It's a DSL Modem Tim. 
    #10
    Tim_86
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/20 01:21:09 (permalink)
    0
    But do you have a brand and model? 
     
    #11
    KuyaJerome
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/18 21:33:44
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/20 01:26:36 (permalink)
    0
    All I can get is from this link http://setuprouter.com/router/pldt/speedsurf-504an/manuals.htm. Can't find the model in the physical device either. 
    #12
    sw2090
    Gold Member
    • Total Posts : 247
    • Scores: 8
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/20 02:13:56 (permalink)
    0
    Basically you have to look at two things:
     
    1) Is you DSL Modem in Bridge Mode or is it acting as router? If it acts as router (i.e. it does the internet dial up) you need to do portforwarding for IPSEC to work. This would be Port 4500 UDP (NAT-T) and 500 UDP (IPSEC).
    If it is in bridge mode (i.e. your FGT does PPPOE on its WAN) you don't need to do Portforwarding at all.
     
    2) An IPSec Tunnel always needs to have defined ends. If you have a dynamic IP on your WAN from your ISP it is better to use FQDN instead of IP in FortiClient. You could use Fortinet DynDNS Service for this. Otherwise you would always have to check for the current WAN IP of your FGT and then alter you FOrtiClient Config before you start the Tunnel.
    #13
    KuyaJerome
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/18 21:33:44
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/25 16:21:14 (permalink)
    0
    Hi Tim,
     
    Good day! Do I have to setup any DDNS on the SSL-VPN config?
     
    Thank you very much! 
    #14
    KuyaJerome
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/18 21:33:44
    • Status: offline
    Re: Modem to Fortigate Port Forwarding VPN 2018/11/25 21:27:18 (permalink)
    0
    I was able to make the port forwarding work. I tried using telnet to check if it works. 
    #15
    Jump to:
    © 2018 APG vNext Commercial Version 5.5