Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
papapuff
New Contributor II

Created on ‎12-07-2018 12:38 AM

Make internal Web Server accessible to outside using WAN with NAT (private IP)

hi there,

 

need advice and guidance.

I've created virtual Ip and its grup.

and already make DDNS for my WAN connection.

policy also already create it.

 

I try to enter web address (ddns ID I've registered), but page not found.

 

Am I missing something?

 

my internet connection is behind NAT.

 

thank you.

6764
0 Kudos
2 Solutions
lobstercreed
Valued Contributor

Created on ‎12-07-2018 01:04 AM

I'm afraid you're missing the point from the other thread.  It is impossible to route across the Internet to a private IP address.  There are millions of networks that use the same private addressing, so how could the routers of the Internet know where to deliver that particular traffic?  They can't, and by design they drop that traffic (RFC 1918). 

 

You HAVE to have a public IP address if you want to be able to remotely access anything (SSL VPN, IPSEC VPN, DDNS, etc).  If your ISP won't give you a public IP, maybe they can port-forward for you as I described on your other post.  That's the only way it can work....fundamentals of the Internet here.  

View solution in original post

3357
0 Kudos
ede_pfau
Esteemed Contributor III
In response to lobstercreed

Created on ‎12-07-2018 05:36 AM

Just in case you DO get a public address but just not on the WAN port of the FGT...

Then it would matter how the internet router hands down traffic to the FGT. Most preferably it would be called "exposed host" or such, effectively forwarding all traffic to the FGT's WAN port. You would then use a VIP on the WAN interface to NAT traffic to an internal target.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
3357
0 Kudos
4 REPLIES 4
lobstercreed
Valued Contributor

Created on ‎12-07-2018 01:04 AM

I'm afraid you're missing the point from the other thread.  It is impossible to route across the Internet to a private IP address.  There are millions of networks that use the same private addressing, so how could the routers of the Internet know where to deliver that particular traffic?  They can't, and by design they drop that traffic (RFC 1918). 

 

You HAVE to have a public IP address if you want to be able to remotely access anything (SSL VPN, IPSEC VPN, DDNS, etc).  If your ISP won't give you a public IP, maybe they can port-forward for you as I described on your other post.  That's the only way it can work....fundamentals of the Internet here.  

3358
0 Kudos
ede_pfau
Esteemed Contributor III
In response to lobstercreed

Created on ‎12-07-2018 05:36 AM

Just in case you DO get a public address but just not on the WAN port of the FGT...

Then it would matter how the internet router hands down traffic to the FGT. Most preferably it would be called "exposed host" or such, effectively forwarding all traffic to the FGT's WAN port. You would then use a VIP on the WAN interface to NAT traffic to an internal target.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3358
0 Kudos
papapuff
New Contributor II
In response to ede_pfau

Created on ‎12-09-2018 11:08 PM

hi there,

 

thanks for answers.

 

I've asked, provider not possible to forward the port. And yes Ede_pfau, got you mean, thanks for reminder.

 

well, so there is no way to publish internal web server where there is no public address. I though setting "use ip public" on menu DNS, fortigate somehow can convert private ip to public IP

 

thanks all for help.

3319
0 Kudos
Dave_Hall
Honored Contributor
In response to papapuff

Created on ‎12-10-2018 10:10 AM

@Pengguna

 

Re your original post - setting up DDNS requires you register with a DDNS provider and possiblably setting up DNS records too.  I like using fortinet's own ddns service as it seems to be automatic (when using a fgt device).  eg.

 

config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain "server-hostname.fortiddns.com" set monitor-interface "wan1" next end

 

Things to keep in mind is it takes time for DNS records to propagate, so I suggest using an online ping service to test the FQDN resolves to your current IP.

 

And if your web server is going to be behind your fgt device you will need to change the default port access to your fgt device (e.g. port 80 and/or port 443) then set up port forwards on the WAN interface -> internal static IP:80 (or internal static IP:443) if you want to use standard HTTP/HTTPS web port access. 

 

Admin Port access is done via

 

system global admin-port <port_number> admin-sport <port_number> end Personally, if you are going to expose an internal web server in such a manner, I advise putting the web server in a DMZ zone and think hard about what other security or UTM measures to put in place. 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
3319
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.